Apache2 SuPHP
Apache2 su PHP5 (suphp) diegimas[keisti]
Testuota: GNU/Debian sistemoje
Apache2 diegimas su php veikiančiu kaip atskiras CGI procesas (fcgi posistemė), įgalinantis veikti php scriptus atskiriant vartotojų teisias. Kiekvienas php procesas leidžiamas pagal vartotojo ID kuriam jis priklauso. Taip užtikrinamas saugesnis PHP scriptų naudojimas įvairiose sistemose. PHP skriptai negali pasiekti failų/resursų kurie jiems nepriklauso arba nėra toje pačioje vartotojų grupėje, taip neįtakojant bendro sistemos pažeidžiamumo ir t.t.
Diegimas GNU/Debian sistemoje[keisti]
apt-get install apache2 apache2-data apache2-utils ssl-cert apache2-bin libapache2-mod-suphp libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 libonig2 libperl4-corelibs-perl lsof php5-cgi php5-cli php5-common php5-json php5-readline suphp-common libexpat1 php5-gd php5-mysql php5-imap php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick php5-curl php5-intl php5-ming php5-ps php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Diegimas suphp nepalaikančioje sistemoje su naujesniu apache[keisti]
apt-get install apache2-dev build-essential autoconf automake libtool flex bison debhelper binutils cd /usr/local/src wget http://suphp.org/download/suphp-0.7.2.tar.gz tar zxvf suphp-0.7.2.tar.gz wget -O suphp.patch https://lists.marsching.com/pipermail/suphp/attachments/20130520/74f3ac02/attachment.patch patch -Np1 -d suphp-0.7.2 < suphp.patch cd suphp-0.7.2 autoreconf -if ./configure --prefix=/usr/ --sysconfdir=/etc/suphp/ --with-apr=/usr/bin/apr-1-config --with-apache-user=www-data --with-setid-mode=owner --with-logfile=/var/log/suphp/suphp.log make make install mkdir /var/log/suphp mkdir /etc/suphp echo "LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so" > /etc/apache2/mods-available/suphp.load
Paruošimas[keisti]
Įgalinam modulius:
a2enmod suexec rewrite ssl actions include suphp
Pakeitimai /etc/apache2/mods-available/suphp.conf faile pvz.:
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp
<Directory />
suPHP_Engine on
</Directory>
# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>
# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type .
# suPHP_RemoveHandler
</IfModule>
Pakeitimai /etc/passwd (keičiame 33 id į 3333) viskas turi atrodyti maždaug taip:
# cat /etc/passwd|grep www-data www-data:x:3333:3333:www-data:/var/www:/usr/sbin/nologin
Pakeitimai /etc/group (keičiame 33 id į 3333) viskas turi atrodyti maždaug taip:
# cat /etc/group|grep www-data www-data:x:3333:
Pakeičiame teises /var/www/html
chown -R www-data:www-data /var/www/html
Taip pat keičiame /etc/suphp/suphp.conf (min_uid, min_gid) pavyzdys.:
[global]
;Path to logfile
logfile=/var/log/suphp/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=www-data
;Path all scripts have to be in
docroot=/var/www:${HOME}/public_html
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path="/bin:/usr/bin"
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=1000
; Minimum GID
min_gid=1000
[handlers]
;Handler for php-scripts
application/x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
Pagaliau paleidžiame Apache2
systemctl start apache2