Patch for Suexec for Virtual Hosts to use PHP with FastCGI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
 
I am new to this list, but I thought I might contribute a patch implementation I've come up with and ask the other developers on the list to help me scrutinize its security implications.  I've posted this same message to fastcgi-developers list at fastcgi.org to look for feedback from them as well.
 
I've been working with Apache2, SuExec, PHP5, and FastCGI recently and ran across the seemingly-common problem of allowing Virtual Hosts to share a PHP (cgi-fcgi) binary that is SuExec'd to their User/Group.  I read everything I could find on the net about this subject, and the fastcgi.com archives were very helpful, but I was not happy or successful with some of the solutions presented.  I thought I would end up having to copying the php binary for every Virtual Host that existed and chown them to each user/group so that Suexec would work properly and I could stop getting permission errors.  Then I realized how it would be a nightmare to automate this process of copying and owning the php binary to the right user/group every time a Virtual Host was created (and I'm not that great at shell scripting).  If I wanted to recompile php, I would have to update all of the instances of php that now existed (which seemed to be getting too complex). So I finally gave in and decided to modify suexec.c, despite the warnings from apache.org not to do so because much thought had already been put into the conditions for suexec to work securely.  However, the fact that I wanted the php binary to be shared is a special case from all other cgi scripts, since its user/group must be different from the target user/group of the Virtual Host.  So this is what I've come up with and it seems to fit my needs, so I thought it could help others in the same situation.
 
I've created a new user/group named "php-cgi-shared", which took on a UID and GID above 500.  My virtual hosts all reside in /home/<username>/ so in my Apache2 configuration I set '--with-suexec-docroot' to "/home" to encompass all virtual hosts and their cgi-bin directories (this made sense to me, but maybe I don't fully understand how the suexec docroot and userdir settings work).  Then I created /home/fcgi-bin/ where I would later copy /usr/bin/php (built as cgi-fcgi) to and chown the fcgi-bin directory and the php-fcgi binary to the user and group of "php-cgi-shared".  I've read some 3rd-party changes and patches to suexec.c that chose to completely ignore the check for the SuexecUserGroup UID and GID to match the UID and GID of the CGI file and its containing folder. However, I thought this was a too lenient and allows security holes, so I left that code as it is but added a custom hack of my own.  I've hard-coded the custom user/group of "php-cgi-shared" into the suexec.h header file, and within the code checked to see if this was a valid user/group on the system and obtained its UID and GID.  If the UID/GID of the target program and folder do not match the SuexecUserGroup (as done in the original code), then I additionally check if they match my "safe" UID/GID obtained from the "php-cgi-shared" user/group.  If a match occurs, then I allow the suexec program to proceed and not exit with an error.  So then when FastCGI passes the SuexecUserGroup from a Virtual Host to the Suexec wrapper, it will spawn a dynamic instance of the php-fcgi binary running as the user/group of the virtual host.  Likewise, I run a static instance of this php-fcgi using FastCgiServer with the -user and -group set to "php-cgi-shared", and not "apache/www/nobody" because those users are below the UID/GID of 500 that I've set as a minimum when building Apache/Suexec.  My assumption is that this fcgi-bin directory and php-fcgi program are the only two files that are owned by "php-cgi-shared", as set by root, and no other cgi's will ever take on this special privilege that suexec now allows.  This seems to be a valid solution, unless I don't fully understand how all of the components work together correctly and securely.  Please tell me otherwise if I am wrong.  All I know is that this setup is now working the way I want after many days of frustration, it keeps things secure as far as I can tell, and requires little to no extra maintenance in the future.
 
My httpd.conf file has the following directives that apply to PHP/FastCGI/Suexec (I built Apache2 using its default directory/file layout):
 
User apache
Group apache
...
LoadModule fastcgi_module modules/mod_fastcgi.so
AddType application/x-httpd-php .php
<IfModule mod_fastcgi.c>
   Alias /fcgi-bin/ /home/fcgi-bin/
   FastCgiIpcDir /usr/local/apache2/logs/fastcgi
   FastCgiWrapper /usr/local/apache2/bin/suexec
   FastCgiServer /home/fcgi-bin/php-fcgi -user php-cgi-shared -group php-cgi-shared
   <Directory /home/fcgi-bin/>
      SetHandler fastcgi-script
      Options +ExecCGI
   </Directory>
   AddHandler php-fastcgi .php
   Action php-fastcgi /fcgi-bin/php-fcgi
</IfModule>
 
Please respond with your comments on my method, and if it's generally correct and others are interested in using it, I can post my changes to suexec.c.
 
Thanks,
Jason Kovacs

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux