Apache Mod Fastcgi PHP
Default apache running from one UID/GID isn’t too secure. Users can look into all virtuals hosted on server. No one can stop them if PHP/CGI is allowed.
One of solutions of this problem is to run PHP as CGI. With suexec this will allow to run PHP under certain UID/GID. Unfortunately running PHP as CGI slows things down. FastCGI comes with help here.
What do you need? mod_fastcgi and php compiled with FastCGI mode enabled (in PLD you have apache-mod_fastcgi and php-fcgi packages with that). I will not describe compilation/installation proces for them. It’s docummented so you can read yourself.
Example apache 2.0 configuration:
FastCgiWrapper /usr/sbin/suexec-fcgi
FastCgiServer /home/services/httpd/cgi-bin/php -user pubhttp -group pubhttp
AddHandler php-fastcgi .php
SetHandler fastcgi-script
Action php-fastcgi /cgi-bin/php
AddType application/x-httpd-php .php
/home/services/httpd/cgi-bin/php is shell script:
#!/bin/sh
PHPRC=”/etc/php/”
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
exec /usr/bin/php.fcgi
PHPRC allows to specify configuration file for php while PHP_FCGI_CHILDREN limits number of FastCGI PHP servers on one pool.
/usr/sbin/suexec-fcgi is modified apache suexec to disable checking of UID/GID against directory/script file owner. Here is ApacheSuEexecPatch.
In each context you also need to specify proper username/group or UID/GID for example:
ServerAdmin admin@somehost.pl
DocumentRoot /home/virtuals/virtual01
#SuexecUserGroup virtual01-user virtual-group
SuexecUserGroup “#50000” “#5000”
It’s also good to specify SuexecUserGroup defaultapacheuser defaultapachegroup in global context. I had problems with mod_fastcgi trying to user root/root without this directive.I’ve also modified mod_fastcgi in the way that allows using it with UID/GID only (so no proper entries in /etc/{passwd,group}. Here is ModFastCgiPatch.
As result you will get something like this:
|-httpd(22368)-+-httpd(22388,http)-+-php.fcgi(26822,artwol)-+-php.fcgi(26823)
| | |-php.fcgi(26824)
| | |-php.fcgi(22657,powiat9)-+-php.fcgi(22658)
| | | |-php.fcgi(22659)
| | | |-php.fcgi(22660)
| | | -php.fcgi(22661)
| | |-php.fcgi(22489,sebastian)-+-php.fcgi(15654)
| | | |-php.fcgi(15809)
| | | |-php.fcgi(15810)
| | |-php.fcgi(15828)
| | |-php.fcgi(24300,piochaj)-+-php.fcgi(24301)
| | | -php.fcgi(24302)
| | |-php.fcgi(22496,gazetas01)-+-php.fcgi(22497)
| | | |-php.fcgi(22498)
| | | |-php.fcgi(22499)
| | |-php.fcgi(22500)
| | |-php.fcgi(25690,design)-+-php.fcgi(25691)
| | | -php.fcgi(25692)
| | |-php.fcgi(24613,marbo3)-+-php.fcgi(24614)
| | |-php.fcgi(24615)
| | |-php.fcgi(3208,emawoz)-+-php.fcgi(3209)
| | | -php.fcgi(3210)
| | |-php.fcgi(26503,arhen01)-+-php.fcgi(26504)
| | |-php.fcgi(26505)
| | |-php.fcgi(17300,thomson)-+-php.fcgi(17301)
| | | -php.fcgi(17302)
| | |-php.fcgi(22482,pereko)-+-php.fcgi(22483)
| | | |-php.fcgi(22484)
| | | |-php.fcgi(22485)
| | |-php.fcgi(22486)
| | |-php.fcgi(22468,pubhttp)-+-php.fcgi(22469)
| | | |-php.fcgi(22470)
| | | |-php.fcgi(22471)
| | | -php.fcgi(22472)
| |-php.fcgi(16126,szpaner)-+-php.fcgi(16127)
| | -php.fcgi(16128)
| |-httpd(1699,http)—httpd(1700)-+-httpd(1702)
| | |-httpd(1703)
| | |-httpd(1704)
| | |-httpd(1705)
| | |-httpd(1706)
| | |-httpd(1707)
| | |-httpd(1708)
Dude, nobody’s going to comment, if the security image contains such a long “Security code”.
Then again, I did. Nice article… 🙂
You might be interested in this, very similar to what you have here, only I use chroot’s : http://www.seaoffire.net/fcgi-faq.html
Nice quick article. Just what I needed. Thanks.