suexec code

#!/usr/bin/env ruby # runas - Run another program under the privileges of a specified user and group. # This is necessary because sudo demands a password, as we need it to be hands off. # A poor man's suexec basically. require 'etc' user, group, cmd = ARGV begin uid = Etc.getpwnam(user).uid gid = Etc.getgrnam(group).gid unless Process.euid == uid && Process.egid == gid Process.initgroups(user, gid) Process::GID.change_privilege(gid) Process::UID.change_privilege(uid) end exec cmd rescue puts "Could not run as #{user}:#{group}" exit 1 end

A PHP cgi binary compiled with fcgi support

> /usr/local/www/cgi-bin/php5-fcgi -v
PHP 5.0.3 (cgi-fcgi) (built: Dec 30 2004 22:44:32)

Central config in httpd.conf

<IfModule mod_fastcgi.c>
FastCgiIpcDir /usr/local/www/fcgi_ipc/tmp
AddHandler fastcgi-script .fcgi
FastCgiSuexec /usr/local/sbin/suexec
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION
</IfModule>
<Location /php-fastcgi/>
Options ExecCGI        
SetHandler fastcgi-script
</Location>

In a virtual host

SuexecUserGroup ${USER} ${GROUP}
ScriptAlias /php-fastcgi/ ${HOME}/php-fastcgi/ 
AddType application/x-httpd-fastphp .php
Action application/x-httpd-fastphp /php-fastcgi/php5-fcgi

And then the ${HOME}/php-fastcgi/php5-fcgi wrapper

#!/bin/sh 
PHPRC="/usr/local/etc" 
export PHPRC 
PHP_FCGI_CHILDREN=8 
export PHP_FCGI_CHILDREN 
PHP_FCGI_MAX_REQUESTS=5000 
export PHP_FCGI_MAX_REQUESTS 
exec /usr/local/www/cgi-bin/php5-fcgi

The PHPRC environment sets the directory where php.ini is to be found

Popular @ dzone.com

Related Tags

Never been to DZone Snippets before?

runas - Run a program under a specific user / group (poor man's suexec)

Suexec'ed PHP-FastCGI on Apache2