[users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-25 Thread Jesse B. Crawford 
Hello,
We're a small university (think 3000 users) with an NFS/Kerberos/LDAP
network environment. I'm currently preparing for a much needed complete
overhaul of our main webserver, which hosts the user's webpages using a
standard userdir configuration (the webserver has all home directories
mounted). The old configuration ran Apache as the www-data user for all
purposes, but this simply isn't secure now when we have users running
WordPress etc. out of their account, so that Apache (and thus everyone
else) must be able to read their MySQL credentials.

I would thus like to use suexec in the new configuration so that users
can own and secure their files. Here's the trouble: From the
documentation I have read (and it is quite possible I'm missing
something), suexec can only call binaries within the userdir, not
somewhere on the rest of the system. This makes PHP difficult since
php-cgi must be called. Everywhere I have looked this problem has been
solved by placing a shell script in the user's public_html. Apache runs
the script, and the script runs php-cgi.

I don't like this solution, though, because it requires that all users
have a "magic shell script" in their public_html. Many of our users (as
I think anyone at a university has experienced) have little to no
understanding of a linux environment and won't understand the script,
thus either creating it incorrectly or (if we place it automatically)
removing it accidentally. Sure, we could write tools to correct this
automatically, but it simply seems like there must be a better way to do
this.

Is there not any way that /usr/bin/php-cgi can be added to some sort of
white list that suexec is allowed to call? I think one potential
solution is to run suphp alongside suexec, but it seems like it should
be simple to do all this with suexec and fcgid as I plan to use for
python/perl. What would you recommend as the best practice for this kind
of setup?

Thanks!

-- 
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining & Tech.

jean...@nmt.edu // http://nmt.edu/~jeanluc


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-25 Thread Steve Swift 
I don't understand how suexec is "calling" php-cgi, and how such php scripts
work.

I use SUEXEC on a couple of very different systems. My scripts (as is
required) run from a directory below my DocumentRoot. In turn, they use the
shebang method to invoke the programming language:
#!/usr/bin/rexx --
As far as I'm aware, this executable can be anywhere; the restriction is on
where the SCRIPT is housed, not where it's processing executable lives.

Once my script starts executing under suexec, it can run more or less any
executable/binary that my own userid has access to; at least, I've never run
into any problems.

On 25 October 2011 22:07, Jesse B. Crawford  wrote:

> From the
> documentation I have read (and it is quite possible I'm missing
> something), suexec can only call binaries within the userdir, not
> somewhere on the rest of the system. This makes PHP difficult since
> php-cgi must be called.


-- 
Steve Swift
http://www.swiftys.org.uk

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-26 Thread Jesse B. Crawford 
Because PHP is embedded within HTML, PHP web scripts cannot use a 
shebang, so it is a necessity that the php-cgi binary (/usr/bin/php-cgi 
in our environment) be executed with the script as an argument, rather 
than the script being executed directly (or at least this is my 
understanding, and I have not found any information on the internet to 
the contrary). This creates a problem with the requirement that all 
files executed by suexec be in the userdir, because obviously the 
php-cgi binary is not. This situation is unique to PHP, I think, because 
of the embedding in to HTML. That said, PHP is incredibly common and I 
can't believe that a good solution hasn't been created for this. At this 
point I'm thinking the best solution is suphp and suexec alongside each 
other, because suexec seems to have been poorly designed for handling 
scripts that must be explicitly run with an interpreter (which, in its 
defence, is only PHP that I'm aware of).


Please let me know if I'm wrong on any of these points.

On 10/26/2011 12:22 AM, Steve Swift wrote:
I don't understand how suexec is "calling" php-cgi, and how such php 
scripts work.


I use SUEXEC on a couple of very different systems. My scripts (as is 
required) run from a directory below my DocumentRoot. In turn, they 
use the shebang method to invoke the programming language:

#!/usr/bin/rexx --
As far as I'm aware, this executable can be anywhere; the restriction 
is on where the SCRIPT is housed, not where it's processing executable 
lives.


Once my script starts executing under suexec, it can run more or less 
any executable/binary that my own userid has access to; at least, I've 
never run into any problems.


On 25 October 2011 22:07, Jesse B. Crawford > wrote:


>From the
documentation I have read (and it is quite possible I'm missing
something), suexec can only call binaries within the userdir, not
somewhere on the rest of the system. This makes PHP difficult since
php-cgi must be called.

--
Steve Swift
http://www.swiftys.org.uk



--
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining&  Tech.

jean...@nmt.edu // http://nmt.edu/~jeanluc

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-26 Thread Alexandr Normuradov 
Use MPM ITK.
Solves security, memory and speed problems.
Tested in production, very good alternative for environments when
users are not very savvy and not require custom php.ini

Sincerely,
Alexandr Normuradov



On 26 October 2011 19:00, Jesse B. Crawford  wrote:
> Because PHP is embedded within HTML, PHP web scripts cannot use a shebang,
> so it is a necessity that the php-cgi binary (/usr/bin/php-cgi in our
> environment) be executed with the script as an argument, rather than the
> script being executed directly (or at least this is my understanding, and I
> have not found any information on the internet to the contrary). This
> creates a problem with the requirement that all files executed by suexec be
> in the userdir, because obviously the php-cgi binary is not. This situation
> is unique to PHP, I think, because of the embedding in to HTML. That said,
> PHP is incredibly common and I can't believe that a good solution hasn't
> been created for this. At this point I'm thinking the best solution is suphp
> and suexec alongside each other, because suexec seems to have been poorly
> designed for handling scripts that must be explicitly run with an
> interpreter (which, in its defence, is only PHP that I'm aware of).
>
> Please let me know if I'm wrong on any of these points.
>
> On 10/26/2011 12:22 AM, Steve Swift wrote:
>
> I don't understand how suexec is "calling" php-cgi, and how such php scripts
> work.
> I use SUEXEC on a couple of very different systems. My scripts (as is
> required) run from a directory below my DocumentRoot. In turn, they use the
> shebang method to invoke the programming language:
> #!/usr/bin/rexx --
> As far as I'm aware, this executable can be anywhere; the restriction is on
> where the SCRIPT is housed, not where it's processing executable lives.
> Once my script starts executing under suexec, it can run more or less any
> executable/binary that my own userid has access to; at least, I've never run
> into any problems.
>
> On 25 October 2011 22:07, Jesse B. Crawford  wrote:
>>
>> >From the
>> documentation I have read (and it is quite possible I'm missing
>> something), suexec can only call binaries within the userdir, not
>> somewhere on the rest of the system. This makes PHP difficult since
>> php-cgi must be called.
>
>
> --
> Steve Swift
> http://www.swiftys.org.uk
>
>
> --
> Jesse B. Crawford (jeanluc)
> Systems Programmer
> Tech Computer Center
> New Mexico Inst. of Mining & Tech.
>
> jean...@nmt.edu // http://nmt.edu/~jeanluc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-26 Thread Yehuda Katz 
On Wed, Oct 26, 2011 at 9:49 PM, Alexandr Normuradov wrote:

> Use MPM ITK.
> Solves security, memory and speed problems.
> Tested in production, very good alternative for environments when
> users are not very savvy and not require custom php.ini
>

I use ITK with great results, but it needs to be configured for every
virtual host individually.
I believe the original poster is looking for a solution that will work with
~userdirs.

I should add that I do not know of any universities that allow students to
run arbitrary code on the primary servers.
At the University of Maryland, you can not run ANY code on the users
server(they used to allow SSI, but that is
gone now too) and many departments
require an internal audit of your application before they will let it run on
their servers.

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-26 Thread Alexandr Normuradov 
Same config headache as SuexecUserGroup directive.
Everything can be nicely automated with a bash script and Includes to
sub configs.
As of ~userdir, let them run their web sites, just put proper
thresholds and universal cache, like mod_cache, that handles pretty
much everything.
ITK has some nice thresholds and limits that you can safely adjust.


Sincerely,
Alexandr Normuradov



On 26 October 2011 20:58, Yehuda Katz  wrote:
> On Wed, Oct 26, 2011 at 9:49 PM, Alexandr Normuradov 
> wrote:
>>
>> Use MPM ITK.
>> Solves security, memory and speed problems.
>> Tested in production, very good alternative for environments when
>> users are not very savvy and not require custom php.ini
>
> I use ITK with great results, but it needs to be configured for every
> virtual host individually.
> I believe the original poster is looking for a solution that will work with
> ~userdirs.
> I should add that I do not know of any universities that allow students to
> run arbitrary code on the primary servers.
> At the University of Maryland, you can not run ANY code on the users server
> (they used to allow SSI, but that is gone now too) and many departments
> require an internal audit of your application before they will let it run on
> their servers.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-26 Thread Yehuda Katz 
My understanding of suEXEC (not that I have used it) is that it will
automatically discover which user to execute as when pulling from a location
configured with UserDir (with some limitations, search
http://httpd.apache.org/docs/2.2/suexec.html for UserDir).

- Y

On Wed, Oct 26, 2011 at 10:07 PM, Alexandr Normuradov wrote:

> Same config headache as SuexecUserGroup directive.
> Everything can be nicely automated with a bash script and Includes to
> sub configs.
> As of ~userdir, let them run their web sites, just put proper
> thresholds and universal cache, like mod_cache, that handles pretty
> much everything.
> ITK has some nice thresholds and limits that you can safely adjust.
>
>
> Sincerely,
> Alexandr Normuradov
>
>
>
> On 26 October 2011 20:58, Yehuda Katz  wrote:
> > On Wed, Oct 26, 2011 at 9:49 PM, Alexandr Normuradov  >
> > wrote:
> >>
> >> Use MPM ITK.
> >> Solves security, memory and speed problems.
> >> Tested in production, very good alternative for environments when
> >> users are not very savvy and not require custom php.ini
> >
> > I use ITK with great results, but it needs to be configured for every
> > virtual host individually.
> > I believe the original poster is looking for a solution that will work
> with
> > ~userdirs.
> > I should add that I do not know of any universities that allow students
> to
> > run arbitrary code on the primary servers.
> > At the University of Maryland, you can not run ANY code on the users
> server
> > (they used to allow SSI, but that is gone now too) and many departments
> > require an internal audit of your application before they will let it run
> on
> > their servers.
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

2011-10-27 Thread Jesse B. Crawford 
On 10/26/2011 07:58 PM, Yehuda Katz wrote:
> On Wed, Oct 26, 2011 at 9:49 PM, Alexandr Normuradov
> mailto:norma...@gmail.com>> wrote:
>
> Use MPM ITK.
> Solves security, memory and speed problems.
> Tested in production, very good alternative for environments when
> users are not very savvy and not require custom php.ini
>
>
> I use ITK with great results, but it needs to be configured for every
> virtual host individually.
> I believe the original poster is looking for a solution that will work
> with ~userdirs.
>
> I should add that I do not know of any universities that allow
> students to run arbitrary code on the primary servers.
> At the University of Maryland, you can not run ANY code on the users
> server  (they used to allow SSI, but that
> is gone now too) and many departments require an internal audit of
> your application before they will let it run on their servers.

Perhaps we are strange in this regard, we attempt to support all CGI
applications. That we don't have much trouble with this is probably
purely a consequence of being a small school such that our staff can
still watch all systems very carefully.

MPM-ITK does look problematic because of the per-vhost configuration. At
this point I am thinking suphp is the best solution. Does anyone have
any experience with this extension? The documentation makes it sound
like suPHP and suExec at the same time will work just fine, and it looks
like it can be fairly easily configured for a userdir environment.

Thanks for the input!

-- 
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining & Tech.

jean...@nmt.edu // http://nmt.edu/~jeanluc


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org