Printer-friendly version

Yeah this is one of the most irritating type of thing to setup. I had a tough time with this, but ultimately got it right after a lot of researching.

Follow this tutorial and you'll successfully set the environment up - PHP running via FastCGI within an SuExec Environement in Apache 2 !

So lets start with a case study. What was my case, and how I solved it -

I have a server in which Apache 2 is configured with FastCGI globally without SuExec support on Linux.

Apache runs as user www and group www.

Data is stored at /srv/htdocs.

Now you want to add a new user but you want to be sure that his scripts aren't able to write to your data area (i.e. /srv/htdocs).

To ensure that he's not able to write into your area, you've to use SuExec to run his PHP/CGI scripts.

You could also use mod_suphp and do off with the thing, but that hits performance. You want both performance and security.

Now here's what to do -

1. Recompile Apache with suexec support

   I assume that your Apache installation is located at /usr/local/apache2.

   BACKUP YOUR CONFIGURATION BEFORE RECOMPILATION !!

   Extract httpd-.tar.gz or .tar.bz2 downloaded from httpd.apache.org

   Then type this on the shell-

   > /usr/local/apache2/build/config.nice --enable-suexec \
   --with-suexec-bin=/usr/local/apache2/bin/suexec --with-suexec-caller=www \
   --with-suexec-docroot=/srv --with-suexec-uidmin=500 --with-suexec-gidmin=www;
   > make
   > sudo make install #(or simply make install if you are root)

   This will configure apache with suexec. Run make and them make install (sudo make install if you're not root) to compile and install it.

2. Main Configuration

   Now comes the real part - Configuration

   In the module section add these two lines -

   LoadModule suexec_module modules/mod_suexec.so
   LoadModule fastcgi_module modules/mod_fastcgi.so

   The following configuration assumes that you want PHP on all of your Virtual Hosts. If you don't you've to configure it little differently.

   ScriptAlias "/srv/cgi-bin/" "/cgi-bin/"
    
   <Directory "/srv/cgi-bin/">
     
     Options None
     Order allow,deny
     Allow from All
    
   </Directory>
    
   # This directive must appear before any other FastCGI directives
    
   FastCgiSuexec bin/suexec
    
   # Change FastCgiConfig directive values as needed.
   # Read docs at http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html
    
   FastCgiConfig -singleThreshold 100 -killInterval 600 -minProcesses 5 -maxProcesses 50 -maxClassProcesses 15 -autoUpdate -idle-timeout 180 -pass-header HTTP_AUTHORIZATION
    
   AddHandler fastcgi-script .fcgi
    
   AddHandler php-fastcgi .php
    
   Action php-fastcgi /cgi-bin/php.fcgi
    
   <FilesMatch "\.php$">
     Options +ExecCGI
   </FilesMatch>

3. Create /srv/cgi-bin/php.fcgi

   #!/bin/bash
    
   # In most cases you don't want any stuff here ;)
   # Just pass the filename to PHP interpreter
    
   PHP=$(type -p php-cgi)
    
   exec $PHP $@

   This file /srv/cgi-bin/php.fcgi should be owned by www:www with permissions of 0755 (including the cgi-bin directory)

   This php.fcgi must exist in cgi-bin for every virtualhost. It must be owned by user:group specified in SuexecUserGroup directive and must be writeable ONLY by the owner (not even by group). The directory /cgi-bin must be also ONLY writeable by owner.

   i.e. Directory cgi-bin should have permissions of 755 and php.fcgi the permissions of 755

4. Configure VirtualHost

   <VirtualHost aa.bb.cc.dd:80>
     ServerName example.com
     
     # Because we've now enabled suexec, the document root of ANY virtualhost must be under /srv
    
     DocumentRoot "/srv/DOCROOT-OF-example.com/public"
     ScriptAlias "/srv/DOCROOT-OF-example.com/cgi-bin"
    
     <Directory "/srv/DOCROOT-OF-example.com/cgi-bin">
       Options None
       Order allow,deny
       Allow from All
     </Directory>
     
     SuexecUserGroup vuser vgroup
     
     # other config stuff..
   </VirtualHost>

   Be sure to set owner of cgi-bin/php.fcgi to vuser:vgroup with permissions 755 for directory as well as php.fcgi !!
   

ENJOY!

Post comments (and subscribe to them ) for any clarification.