RFE: Apache2 - patches for adding suexec support

[tonytung@…]

(obvious...)

[tonytung@…]

proposed patch

[tonytung@…]

updated patch

[ryandesign (Ryan Carsten Schmidt)]

Assign to maintainer.

[(none)]

Milestone Port Enhancements deleted

[ddebernardy@…]

patch fails when applied as is:

user mismatch (_www instead of www)

I think the --with-suexec-userdir is set incorrectly. or then all of the sites need to be placed in a specific folder, or something... still testing...

[ddebernardy@…]

Cc Me!

[ddebernardy@…]

Oddly:

DB:/opt/local/apache2/logs $ id www
uid=70(_www) gid=70(_www) groups=70(_www)
DB:/opt/local/apache2/logs $ id _www
uid=70(_www) gid=70(_www) groups=70(_www)

[ddebernardy@…]

That's on MacOS 10.4, btw:

• apache2 @2.2.14_0+darwin+darwin_9+preforkmpm+suexec
• mod_fcgid @2.2_0
• php5 @5.3.1_1+apache2+fastcgi+macosx

[ddebernardy@…]

following up a bit:

1. user mismatch (_www instead of www)

gets fixed by:

--with-suexec-caller=_www

2. cannot run as forbidden gid (20/php-cgi)

gets fixed by:

--with-suexec-gidmin=20

or a big fat sudo chgrp -R, I would assume.

it's stuff that would need to be documented in the installer.

[ddebernardy@…]

last error to show up is:

3. command not in docroot (/opt/local/bin/php-cgi)

this one is a bit trickier. basically, the security model needs to be respected, i.e. users' files need to be in the doc root, i.e. htdocs. so... some server reconfig is in order, but I think it should work from there.

[ddebernardy@…]

So... following up on this, and documenting it a bit, in case it helps.

Required active modules for Apache2 + PHP5 using fastcgi + suExec:

php5 @5.3.1_1+apache2+fastcgi+macosx
mod_fcgid @2.2_0
apache2 @2.2.14_0+darwin+darwin_9+preforkmpm+suexec

To build apache2 +suexec, I had to add the following to /opt/local/var/macports/sources/rsync.macports.org/release/ports/www/apache2/Portfile:

variant suexec {
        configure.args-append "--enable-suexec --with-suexec "\
                              "--with-suexec-logfile=${prefix}/apache2/logs/suexec.log "\
                              "--with-suexec-safepath=${prefix}/local/bin:/usr/local/bin:/usr/bin:/bin "\
                              "--with-suexec-uidmin=500 "\
                              "--with-suexec-gidmin=20 "\
                              "--with-suexec-caller=_www "\
                              "--with-suexec-docroot=/Users "\
                              "--with-suexec-userdir=Sites " 
}

This was on MacOS 10.4. The gid and user might need to be different under 10.5...

• gid =20 corresponds to the staff group.
• _www is the apache user (as returned by id 70)
• all users need a corresponding folder in the docroot folder, so docroot=/Users
• all users sites' files should be in their respective userdir, so userdir=Sites

Configuring it as above allows to keep the default settings from mod_userdir, which scans for /Users/*/Sites. There might be a better way, though. (The DocumentRoot directive in httpd.conf can be left untouched.)

Individual users then need a few lines in httpd.conf, as so:

<Directory /Users/denis/Sites>
AddHandler fcgid-script .php
FCGIWrapper /Users/denis/Sites/cgi-bin/php-cgi .php
AllowOverride All
Options +ExecCGI +Indexes
</Directory>

The username obviously needs to be changed, and I'm guessing that something better could be added as a generic rule for all sites. The php-cgi file above is in fact a wrapper for the /opt/local/bin/php-cgi file that was installed by php5 +fastcgi:

#!/bin/sh 
# Wrapper for PHP-fcgi 
# This wrapper can be used to define settings before launching the PHP-fcgi binary. 

# Define the path to php.ini. This defaults to /etc/phpX/cgi. 
export PHPRC=/opt/local/etc/php5

# Define the number of PHP child processes that will be launched. 
# This is low to control memory usage on a server that might launch 
# these processes for lots of domains. 
# Leave undefined to let PHP decide. 
export PHP_FCGI_CHILDREN=1 

# Maximum requests before a process is stopped and a new one is launched 
export PHP_FCGI_MAX_REQUESTS=5000 

# Launch the PHP CGI binary 
# This can be any other version of PHP which is compiled with FCGI support. 
exec /opt/local/bin/php-cgi

the cgi file needed chown denis:staff, and chmod ugo+x.

I hope this helps...

@ jmr: I'm CC'ed on the ticket, in case you need someone to test a final patches to make this work automatically.

[ro@…]

Yeah, thanks, that helped. Especially since this is the best document google is giving... (At least I had an overview that kept me from running away screaming. New MacOS user here, so with the addition of a.o. learning the general workings of a.o. MacPorts details, 'adding users and groups', launchd, etc... installing suExec wasn't a piece of cake.)

There's one thing, though. (Except that:

• you also need a SuExecUserGroup directive in httpd.conf
  
• MacPorts' mod_fcgid is still on 'old naming'; my config files I ported, said FcgidWrapper - where it should say FCGIWrapper. This will probably be replaced again by FcgidWrapper soonish, when MacPorts packages a newer mod_fcgid version)

The thing: apache's suexec_log kept giving me "failed to setgid (NNN: php-wrapper-scriptname)". In the end, I found that it's the symlink from /opt/local/apache2/bin/suexec to /opt/local/var/macports/software/apache2/2.2.16_0+preforkmpm+suexec/opt/local/apache2/bin/suexec, which makes things break down. I have to remove the symlink and copy the actual suexec file to /opt/local/apache2/bin/suexec.

(I'm on 10.6.)

[ryandesign (Ryan Carsten Schmidt)]

James Cox (imajes) retires as MacPorts maintainer (see macports-mgr archives)