MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Connectivity

Netips III

* Installing php-cgiwrap

Related Resources:

cgiwrap egroup
Running PHP Scripts Securely

Revision / Modified: June 05, 2002
Author: Jeff Bert, Tom Berger

 

* Installing php-cgiwrap

(Contributed by Mandrake Linux user Jeff Bert)

  1. Got 'php-4.1.2.tar.gz' and compiled as a CGI Binary it using (minimum options shown):
    1. Untarred it to /usr/local/src
    2. cd /usr/local/src/php-4.1.2
    3. ./configure --enable-track-vars --enable-force-cgi-redirect --with-config-file-path=/etc
    4. make
    5. strip php
    6. cp php /home/USERNAME/public_html/cgi-bin/php4-12.cgi
    7. chmod 700 /home/USERNAME/public_html/cgi-bin/php4-12.cgi
  2. Got 'cgiwrap-3.7.1.tar.gz' from: http://cgiwrap.unixtools.org/
  3. Got 'php-cgiwrap' patch from: http://www.klaban.torun.pl/patches/cgiwrap/
  4. Un-tarred 'cgiwrap-3.7.1.tar.gz' into '/usr/local/src' and patched it
    1. cd /usr/local/src/cgiwrap-3.7.1
    2. cp /path-to-patch/cgiwrap-3.7.1-p7-withphp.diff.gz .
    3. gzip -dc cgiwrap-3.7.1-p7-withphp.diff.gz | patch -p1
  5. Created "cgi-sys" for system cgi-bin to run cgiwrap from:
    1. mkdir -p /var/www/cgi-sys
    2. chmod 755 /var/www/cgi-sys
  6. Added to my httpd.conf file:

    ScriptAlias /cgi-sys/ /var/www/cgi-sys/
    <Directory /var/www/cgi-sys>
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    </Directory>

  7. Compiled cgiwrap with (minimum options shown):
    1. ./configure --with-httpd-user=apache --with-install-dir=/var/www/cgi-sys
    2. make
    3. make install
  8. Got rid of the php-cgiwrap links to cgiwrap so that I can custom install those separately with a second cgiwrap compile:
    1. rm -f /var/www/cgi-sys/php*
    2. make clean
    3. ./configure --with-httpd-user=apache --with-install-dir=/tmp --with-cgi-dir=public_html
    4. make
    5. make install
    6. cp /tmp/cgiwrap /var/www/cgi-sys/php-cgiwrap
    7. ln /var/www/cgi-sys/php-cgiwrap /var/www/cgi-sys/php-cgiwrapd
    8. rm /tmp/*cgiwrap* -f
  9. Set up 'Vhosts.conf' with for each host that is php wrapped (not all are):

    AddHandler php-cgiwrap .php
    Action php-cgiwrap /cgi-sys/php-cgiwrap/USERNAME/cgi-bin/php4-12.cgi

So what I did was create two different wrappers... one for cgi scripts that have to be called via:

http:domain/cgi-bin/cgiwrap/USERNAME/path-to-script-inside-cgi-bin/script.cgi

and the other for php files called via:

http:domain/path-to-php-script-NOT-inside-cgi-bin/script.php

The reason this works is that the patch to cgiwrap allows you to get rid of the #!/path-to-php/ and the php CGI binary allows you to not have to put the php files in the cgi-bin.

Now, this raises some security issues that goes against the ilk of those who swear by cgiwrap religiously. Putting a language parser in the cgi-bin is a security risk per http://www.cert.org/advisories/CA-1996-11.html . So, I'm not sure this is the best setup for everyone.
The reasons I did this was that so I could create scripts that would be easily ported to my alternate account at pair.com. Also, some of my webusers wanted to customize their php installs and I wanted to give them that but to force the risk to them. Because wrapping php puts the risk to damage to the system to their files only, i hope ;)

* section index * top

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.