chmod 711 \/home\/wwwroot <\/li>\n<\/ul>\nTry your webserver.<\/strong> It’s important as now you’re sure the following bugs come from SuEXEC configuration error path permissions problems (httpd main or vhost error log and suexec.log are your best friends). <\/p>\nWhen all is okay, let’s hack support\/suexec.c (in your httpd source directory): <\/p>\n
Find (near the end of file): <\/p>\n
execv(cmd, &argv[3]); <\/p>\n
Replace by: <\/p>\n
\n- \n
if<\/span> \t\t\t\t\t<\/span>(<\/span>strstr<\/span>(<\/span>cmd, <\/span>“.phps”<\/span>))<\/span> \t\t\t\t\t<\/span>{<\/span> \t\t\t\t\t<\/span><\/span><\/div>\n<\/li>\n- \n
execl<\/span>(<\/span>“\/usr\/local\/bin\/php-cgi”<\/span>, <\/span>“php-cgi”<\/span>, <\/span>“-s”<\/span>, cmd, <\/span>NULL<\/strong><\/span>)<\/span>; <\/span><\/span><\/div>\n<\/li>\n- \n
}<\/span> \t\t\t\t\t<\/span>else<\/span> \t\t\t\t\t<\/span>if<\/span> \t\t\t\t\t<\/span>(<\/span>strstr<\/span>(<\/span>cmd, <\/span>“.php”<\/span>))<\/span> \t\t\t\t\t<\/span>{<\/span> \t\t\t\t\t<\/span><\/span><\/div>\n<\/li>\n- \n
execl<\/span>(<\/span>“\/usr\/local\/bin\/php-cgi”<\/span>, <\/span>“php-cgi”<\/span>, cmd, <\/span>NULL<\/strong><\/span>)<\/span>; <\/span><\/span><\/div>\n<\/li>\n- \n
}<\/span> \t\t\t\t\t<\/span>else<\/span> \t\t\t\t\t<\/span>{<\/span> \t\t\t\t\t<\/span><\/span><\/div>\n<\/li>\n- \n
execv<\/span>(<\/span>cmd, &argv<\/span>[<\/span>3<\/span>])<\/span>; <\/span><\/span><\/div>\n<\/li>\n- \n
}<\/span> \t\t\t\t\t<\/span><\/span><\/div>\n<\/li>\n<\/ol>\nsuexec.c PHP friendly hack – Dereckson <\/strong><\/span><\/p>\n<\/p>\nNow, in httpd.conf you’ve to configure php and phps as CGI. <\/p>\n
[ This is a rough draft, drop a comment if you want any precision or the sequel ]<\/p>\n","protected":false},"excerpt":{"rendered":"
Want a very secure Apache \/ PHP setup? <\/p>\n
SuEXEC<\/strong> allows CGI execution under user own accounts and not webserver one. So, if a security hole is exploited through a script, that’s normally – if your FreeBSD server is correctly chmoded – gives access to resources. <\/p>\nThe genuine SuEXEC drawback is you’ve to prefix each, as any other CGI script (remember #!\/usr\/bin\/perl ?). We’ll slightly edit the SuEXEC.c code to avoid that. <\/p>\n
SuEXEC will force you to chmod correctly and securely your web content: 700 the scripts, 711 the directories (755 to allow list them). If that’s sounds too paranoid or you’re tired of your users’ complaints, you can ask SuEXEC to ignore permissions check (but what’s the interest of this method in this case? You should consider chroot instead.). If you’re a console guru, I’ve coded an autochmod<\/strong> script to make our life paranoid but easier \ud83d\ude09 <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[9],"class_list":["post-75","post","type-post","status-publish","format-standard","hentry","tag-freebsd"],"_links":{"self":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/75","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/comments?post=75"}],"version-history":[{"count":0,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/75\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/media?parent=75"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/categories?post=75"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/tags?post=75"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}