In this article we configured apache2 with php as suExec CGI module. The configuration is a little bit more complicated then regular mod_php but offers definite advantage with php running with script owner privileges.
However there could be situations where this creates additional problems.
Let me explain what I mean by that.
ClipShare is very well known and widely used video clip sharing portal – Youtube clone, so to speak.
For video upload it uses GPL Uber Uploader subsystem – CGI based.
The problem is that ubr_upload.pl CGI script is running under ClipShare “base dir” and as such is considered by suExec as invalid and gets effectively disabled.
Since ClipShare allows to configure upload cgi URL only relative to it’s own document root it will require to change apache virtual host configuration to fix the problem.
Here is Our original virtual host configuration.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
<VirtualHost xx.xx.xx.xx:80> ServerName web1.com ServerAlias www.web1.com DocumentRoot /home/web1/public_html ErrorLog /home/web1/logs/error_log CustomLog /home/web1/logs/access_log combined ScriptAlias /cgi-bin/ /home/web1/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 <IfModule mod_fcgid.c> Alias /fcgi-bin/ /var/www/cgi-bin/ <Location /fcgi-bin/> SetHandler fcgid-script Options +ExecCGI </Location> SuexecUserGroup "#503" "#503" <Directory /home/web1/public_html> Options -Indexes IncludesNOEXEC FollowSymLinks +ExecCGI AddHandler php-fcgi .php Action php-fcgi /fcgi-bin/web1/php-web1 FCGIWrapper /var/www/cgi-bin/web1/php-web1 .php allow from all AllowOverride All </Directory> </IfModule> <Directory /home/web1/cgi-bin> Options ExecCGI Allow from all </Directory> </VirtualHost> |
And here is modified version which works for the regular (non-Fast) CGI scripts with suExec.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
<VirtualHost xx.xx.xx.xx:80> ServerName web1.com ServerAlias www.web1.com DocumentRoot /home/web1/public_html ErrorLog /home/web1/logs/error_log CustomLog /home/web1/logs/access_log combined ScriptAlias /cgi-bin/ /var/www/cgi-bin/web1 DirectoryIndex index.html index.htm index.php index.php4 index.php5 <IfModule mod_fcgid.c> Alias /fcgi-bin/ /var/www/cgi-bin/ <Location /fcgi-bin/> SetHandler fcgid-script Options +ExecCGI </Location> SuexecUserGroup "#503" "#503" <Directory /home/web1/public_html> Options -Indexes IncludesNOEXEC FollowSymLinks +ExecCGI AddHandler php-fcgi .php Action php-fcgi /fcgi-bin/web1/php-web1 FCGIWrapper /var/www/cgi-bin/web1/php-web1 .php allow from all AllowOverride All </Directory> </IfModule> <Directory /home/web1/cgi-bin> Options ExecCGI Allow from all </Directory> </VirtualHost> |
That’s right – we are changing ScriptAlias to the user owned subdir under /var/www/cgi-bin to please suExec.
Now all we have to do is to create symlink there from user homedir and move our CGI scripts there.
1 2 3 4 5 6 7 8 |
# cd /home/web1 # mv cgi-bin cgi-old # ln -s /var/www/cgi-bin/web1 ./cgi-bin # cp -pr cgi-old/* cgi-bin/ |
To make virtualmin work with this change we will need to modify Virtualmin apache virtualhost template, and post-creation shell script accordingly.
Virtualmin:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
ServerName ${DOM} ServerAlias *.${DOM} DocumentRoot ${HOME}/public_html ErrorLog ${HOME}/logs/error_log CustomLog ${HOME}/logs/access_log combined ScriptAlias /cgi-bin/ /var/www/cgi-bin/${USER}/ <IfModule mod_fcgid.c> Alias /fcgi-bin/ /var/www/cgi-bin/ <Location /fcgi-bin/> SetHandler fcgid-script Options +ExecCGI </Location> DirectoryIndex index.html index.htm index.php index.php4 index.php5 SuexecUserGroup "#${UID}" "#${GID}" <Directory ${HOME}/public_html> Options +ExecCGI -Indexes IncludesNOEXEC FollowSymLinks AllowOverride All AddHandler php-fcgi .php Action php-fcgi /fcgi-bin/${USER}/php-${USER} Order allow,deny Allow from all </Directory> </IfModule> <Directory ${HOME}/cgi-bin> Options ExecCGI Allow from all </Directory> |
post-creation shell script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash cgi_path="/var/www/cgi-bin" # creating php-fcgi wrapper for apache vhosts if [ "$VIRTUALSERVER_ACTION" = "CREATE_DOMAIN" ]; then if [ ! -d ${cgi_path}/${VIRTUALSERVER_USER} ]; then mkdir ${cgi_path}/${VIRTUALSERVER_USER} fi cd ${cgi_path}/${VIRTUALSERVER_USER} cat > php-${VIRTUALSERVER_USER} <<EOP #!/bin/sh export PHPRC=${VIRTUALSERVER_HOME} export PHP_FCGI_MAX_REQUESTS=5000 export PHP_FCGI_CHILDREN=0 exec /usr/bin/php-cgi EOP chmod 755 php-${VIRTUALSERVER_USER} chown ${VIRTUALSERVER_USER}.${VIRTUALSERVER_GROUP} -R . cp /etc/php.ini ${VIRTUALSERVER_HOME}/ chown -R ${VIRTUALSERVER_USER}.${VIRTUALSERVER_GROUP} ${VIRTUALSERVER_HOME} rm -rf ${VIRTUALSERVER_HOME}/cgi-bin ln -s ${cgi_path}/${VIRTUALSERVER_USER} ${VIRTUALSERVER_HOME}/cgi-bin else exit 0 fi |
0 Comments.