You are not logged in.

#1 2005-06-19 09:00:56

sven
Member
Registered: 2005-02-01
Posts: 311

Making Arch suitable for hosting with secure php support

I am trying to host some sites that are going to use php and php-based cms systems and top security is my main concern while performance is the second important one. I hope this thread would be as a guide for everyone who wants to set up secure php hosting.

My venture to get things ready went fine until I started thinking that there might be great security problems when I would use mod_php for all of the sites. Everyone would have access to everyone's .php files since they would all be executed under apache user and group. As a remedy to this I found suphp. When I tried to use my apache 1.3.33 directly with mod_suphp it didn't work since mod_php cannot be inserted into apache simultaneously with suphp. So my whole concept of using the mod_php-apache1.3.33 started to be changed.   

The basic things I want to have working are: Apache 2.0.54(mod_fastcgi,mod_security,mod_ssl,suphp or suexec or both?),PHP 5.0.4 (as cgi-fastcgi), fastcgi and eaccelerator cache for php.

According to slashdot forums the problem I feared with Apache 2 and php 5 (that apache 2 is not thread safe) is taken care of by having php separated from apache. PHP as cgi can be slow but fastcgi will speed things up - hopefully the perfomance will be close to mod_php.


Todo:

Done:
- mysql support ok, it was not directly compiled in, and module was commented out in php.ini
- custom apache package with more accurate suexec configuration. Also changed the default apache user to apache instead of nobody and apache.install with user/group generation and deletion.
- mod_fastcgi package
- mod_security package
- for php used standard arch package
- for php-fastcgi used cactus' php-cgi and fcgi packages


apache and mod_fastcgi and suexec tips from various sources
-----------------------------------------------------------
Discussion about suexec and mod_suphp
Apache  and mod_fastcgi and modified suexec
mod_fastcgi suexec
...and again info about apache, fastcgi and suexec
suexec vs. suphp => suexec seems to be sufficient - suphp is based on it
Apache suexec page

php,apache and suexec - three ways of implementing
---------------------------------------------------
Suexec'ed PHP-FastCGI on Apache2
Apache, php and mod_suexec
The guidelines from fastcgi docs

Offline

#2 2005-06-19 09:07:08

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

Take a look at the wiki. I did a considerable write up on using lighttpd with fastcgi/php (prespawned php-fastcgi instances). As well as provided benchmarks in a forum post here somewhere (linked to my blog if I recall).

There is both a php-cgi (php5) and an eaccelerator package that I put in the aur as well.

I run two chrooted lighttpd instances (one for ssl and one for non-ssl), that talk to prespawned php-fcgi instances which run as a seperate user, and with php safe_mode to boot.

Eaccelerator is nice too.  8)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2005-06-19 09:25:00

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Yes, I have been trying to use your packages as a basis for my apache set up smile

I thought of using lighttpd for my php hosting, but it still doesn't have something equal to suphp. I also thought of chrooting lighttpd instance for each of my users, but then I would also probably have to set up a complete php environment for each one of them,too. And I don't know how could I allow each one of them use port 80 simultaneously. Seemed to get complicated.

Offline

#4 2005-06-19 18:36:19

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

it wouldn't work with virtual hosts, you would have to use ip based hosting for something like that. Then you could have a lighttpd instance for each user, chrooted to their home dir.
But, likely apache is a better fit for your environment and needs then. still, apache is running under a single user, providing for all the users. Not much difference there, with the exception of mod_suphp, which I admit I am not familiar with.

As for running php for each user..you might be able to prespawn multiple instances of phpfcgi, a set of 4 for each user lets say, and have then each spawned with the permission of the user they will serve. Then for each virtual host, you could specify which fastcgi instance to connect to.

Still, if you find an easier way with apache, more power to you. I prefer fastcgi myself though..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2005-06-20 09:35:17

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

This is how far I got - I made packages for mod_fcgi and mod_security. I used directly the Arch apache package and Arch php package. For fcgi I used your fcgi and php-cgi packages,cactus.

But then I got badly stuck and hacking. Here is the output of tail from error_log when I start up the server:

[Mon Jun 20 12:30:33 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jun 20 12:30:33 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 12:30:33 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Jun 20 12:30:33 2005] [notice] Digest: done
[Mon Jun 20 12:30:34 2005] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 12:30:34 2005] [notice] FastCGI: process manager initialized (pid 10736)
[Mon Jun 20 12:30:34 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php5-fcgi" (uid 1005, gid 105) started (pid 10737)
[Mon Jun 20 12:30:34 2005] [notice] Apache configured -- resuming normal operations
[Mon Jun 20 12:30:34 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php5-fcgi" (pid 10737) terminated by calling exit with status '114'

The httpd.conf (all the fcgi stuff I put in there - only AddModule is before this):

FastCgiWrapper /usr/bin/suexec
FastCgiServer /home/httpd/cgi-bin/php5-fcgi -user apache -group apache

AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin/php5-fcgi
AddType application/x-httpd-php .php


NameVirtualHost *

<VirtualHost *>
    ServerName myhost.fi
    ServerAdmin celeon@gmail.com
    DocumentRoot /home/httpd/fcgitest
    SuexecUserGroup "myuser" "mygroup"
    <Location /info.php>
       SetHandler fastcgi-script
    </Location>
    Action php-fastcgi /php5-fcgi
    AddType application/x-httpd-php .php
</VirtualHost>

<Directory /home/httpd/fcgitest>
    AddHandler php-fastcgi .php
    Options Indexes FollowSymLinks ExecCGI
    Allow from all
</Directory>

and php5-fcgi:

#!/bin/sh
PHPRC="/etc/php.ini"
export PHPRC
PHP_FCGI_CHILDREN=8
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php-cgi

And php files are not handled correctly and obviously no php-cgi instance is started up. php files ar handled as "downloadable" and for browser the file type is application/x-httpd-php.

Offline

#6 2005-06-20 11:03:54

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Now I tried with different kind of configuration:

###http://www.bigbold.com/snippets/posts/show/81#########
<IfModule mod_fastcgi.c>
FastCgiIpcDir /home/apache/tmp
AddHandler fastcgi-script .fcgi
FastCgiSuexec /usr/bin/suexec
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION
</IfModule>

<Location /php-fastcgi/>
Options ExecCGI
SetHandler fastcgi-script
</Location>


NameVirtualHost *

<VirtualHost *>
    ServerName myhost.fi
    ServerAdmin celeon@gmail.com
    DocumentRoot /home/httpd/fcgitest
    SuexecUserGroup "myuser" "mygroup"
    ScriptAlias /php-fastcgi/ /home/httpd/fcgitest/php-fastcgi/
    Action application/x-httpd-fastphp /php-fastcgi/php5-fcgi
    AddType application/x-httpd-fastphp .php
</VirtualHost>


<Directory /home/httpd/fcgitest>
    Options Indexes FollowSymLinks
    Allow from all
</Directory>
####end http://www.bigbold.com/snippets/posts/show/81 ####

and didn't get the errors to error_log:

[Mon Jun 20 13:18:47 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jun 20 13:18:47 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 13:18:47 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Jun 20 13:18:47 2005] [notice] Digest: done
[Mon Jun 20 13:18:47 2005] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 13:18:47 2005] [notice] FastCGI: process manager initialized (pid 10915)
[Mon Jun 20 13:18:47 2005] [notice] Apache configured -- resuming normal operations

All the other parts remained the same - and still no luck with php.

Offline

#7 2005-06-20 11:15:14

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

I would say remove the addhandlers and action stanzas from the vitrual host specifications. Since they are set at the global level, you dont need to redefine them.
It looks like your virtual host "action" stanza has an error in it anyway.

FastCgiWrapper /usr/bin/suexec
FastCgiServer /home/httpd/cgi-bin/php -user apache -group apache

DirectoryIndex index.html index.shtml index.cgi index.php

AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin/php
AddType application/x-httpd-php .php
<Location /cgi-bin/php>
    SetHandler fastcgi-script
</Location>

NameVirtualHost *

<VirtualHost *>
    ServerName myhost.fi
    ServerAdmin celeon@gmail.com
    DocumentRoot /home/httpd/fcgitest
    SuexecUserGroup "myuser" "mygroup"
</VirtualHost>

<Directory /home/httpd/fcgitest>
    Options Indexes FollowSymLinks ExecCGI
    Allow from all
</Directory>

I don't know about suEXEC, but from your log file snipped, it looks like fastcgi is starting ok, and suEXEC is being enabled.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#8 2005-06-20 12:51:06

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

OK, thanks for the fixes - now I got something extra moving in the log smile  This all appeared on start-up in the error_log:

[Mon Jun 20 15:41:51 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jun 20 15:41:51 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 15:41:51 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Jun 20 15:41:51 2005] [notice] Digest: done
[Mon Jun 20 15:41:51 2005] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 15:41:51 2005] [notice] FastCGI: process manager initialized (pid 24307)
[Mon Jun 20 15:41:51 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) started (pid 24308)
[Mon Jun 20 15:41:51 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 24308) terminated by calling exit with status '114'
[Mon Jun 20 15:41:51 2005] [notice] Apache configured -- resuming normal operations
[Mon Jun 20 15:41:56 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) restarted (pid 24314)
[Mon Jun 20 15:41:56 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 24314) terminated by calling exit with status '114'
[Mon Jun 20 15:42:01 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) restarted (pid 24315)
[Mon Jun 20 15:42:01 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 24315) terminated by calling exit with status '114'
[Mon Jun 20 15:42:06 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) restarted (pid 24316)
[Mon Jun 20 15:42:06 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 24316) terminated by calling exit with status '114'
[Mon Jun 20 15:42:06 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" has failed to remain running for 30 seconds given 3 attempts, its restart interval has been backed off to 600 seconds

But still when I request a php page, the browser download box keeps on popping up.

The php instances seem to be terminated on the moment they start up. I wonder if this is file owner/group issue? Now cgi-bin is owned by user apache, group apache.

EDIT: this has something to do with suexec - I checked suexec_log:

[2005-06-20 15:38:47]: command not in docroot (/home/httpd/cgi-bin/php)
[2005-06-20 15:41:51]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 15:41:51]: command not in docroot (/home/httpd/cgi-bin/php)
[2005-06-20 15:41:56]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 15:41:56]: command not in docroot (/home/httpd/cgi-bin/php)
[2005-06-20 15:42:01]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 15:42:01]: command not in docroot (/home/httpd/cgi-bin/php)
[2005-06-20 15:42:06]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 15:42:06]: command not in docroot (/home/httpd/cgi-bin/php)
[2005-06-20 15:52:06]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 15:52:06]: command not in docroot (/home/httpd/cgi-bin/php)

EDIT: I found a thread(the first result) about this suexec problem. --with-suexec-docroot=/home/http would be needed for apache - this is at least how that guy fixed problems with perl.

Offline

#9 2005-06-20 14:16:37

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I think I am getting closer - I recompiled apache with these:

--enable-suexec
--with-suexec-caller=apache
--with-suexec-docroot=/home/httpd
--with-suexec-userdir=/home/httpd/users

I also set paranoid permissions for suexec accroding to this guide.

Now on start I am getting these errors:

error_log:

[Mon Jun 20 16:55:26 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jun 20 16:55:26 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 16:55:26 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Jun 20 16:55:26 2005] [notice] Digest: done
[Mon Jun 20 16:55:26 2005] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 16:55:26 2005] [notice] FastCGI: process manager initialized (pid 32366)
[Mon Jun 20 16:55:26 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) started (pid 32367)
[Mon Jun 20 16:55:26 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 32367) terminated by calling exit with status '120'
[Mon Jun 20 16:55:26 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Mon Jun 20 16:55:26 2005] [notice] Apache configured -- resuming normal operations
[Mon Jun 20 16:55:31 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) restarted (pid 32373)
[Mon Jun 20 16:55:31 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 32373) terminated by calling exit with status '120'
[Mon Jun 20 16:55:36 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) restarted (pid 32374)
[Mon Jun 20 16:55:36 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 32374) terminated by calling exit with status '120'
[Mon Jun 20 16:55:41 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) restarted (pid 32375)
[Mon Jun 20 16:55:41 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (pid 32375) terminated by calling exit with status '120'
[Mon Jun 20 16:55:41 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" has failed to remain running for 30 seconds given 3 attempts, its restart interval has been backed off to 600 seconds
[Mon Jun 20 17:00:41 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" has failed to remain running for 30 seconds given 3 attempts, its restart interval has been backed off to 600 seconds

suexec_log:

[2005-06-20 16:55:26]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 16:55:26]: target uid/gid (1005/105) mismatch with directory (0/0) or program (1005/105)
[2005-06-20 16:55:31]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 16:55:31]: target uid/gid (1005/105) mismatch with directory (0/0) or program (1005/105)
[2005-06-20 16:55:36]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 16:55:36]: target uid/gid (1005/105) mismatch with directory (0/0) or program (1005/105)
[2005-06-20 16:55:41]: uid: (apache/apache) gid: (apache/apache) cmd: php
[2005-06-20 16:55:41]: target uid/gid (1005/105) mismatch with directory (0/0) or program (1005/105)

There seems to be something with directory rights I guess - the uid and gid for user apache are 1005 105 and 0 0 are for root.

EDIT: It was so - cgi-bin was owned by root and I set it to be owned by apache. Now I don't get any errors to suexec_log and error_log has this stuff:

[Mon Jun 20 17:16:51 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jun 20 17:16:51 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 17:16:51 2005] [notice] Digest: generating secret for digest authentication ...
[Mon Jun 20 17:16:51 2005] [notice] Digest: done
[Mon Jun 20 17:16:52 2005] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/bin/suexec)
[Mon Jun 20 17:16:52 2005] [notice] FastCGI: process manager initialized (pid 32433)
[Mon Jun 20 17:16:52 2005] [warn] FastCGI: server "/home/httpd/cgi-bin/php" (uid 1005, gid 105) started (pid 32434)
[Mon Jun 20 17:16:52 2005] [notice] Apache configured -- resuming normal operations

ps aux | grep php is showing this info:

apache   32434  0.0  0.9  12564  4724 ?        Ss   17:16   0:00 /usr/bin/php-cgi
apache   32440  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32441  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32442  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32443  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32444  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32445  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32446  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi
apache   32447  0.0  0.9  12564  4736 ?        S    17:16   0:00 /usr/bin/php-cgi

I am just wondering why are those processes runned by user apache while my idea was that they would runned by the user who's script would currently be executed.

Offline

#10 2005-06-20 16:25:44

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

OK, for user apache I got php working smile

I had a file info.php that only had phpinfo function call in it - and that was always set as "downloadable" for some reason when I tried to view it. I renamed it and could see the php info page. Weird...

Offline

#11 2005-06-20 18:00:13

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

Good to see you got something working. tongue
I never setup fastcgi in apache myself, and I always heard it was a pig to do..apparently it is. o.O


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#12 2005-06-21 05:29:40

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Now it seems I got almost everyting working like I wanted :-D

Here is the rest of the story, how I got php process started with another users rights:

I made a directory /home/httpd/clients for clients, and set these settings for suexec in apache pkgbuild:

               --with-suexec-bin=/usr/bin/suexec 
                --with-suexec-userdir=/home/httpd/clients

and rebuilt apache. Userdir directive is needed when you would like to have php started when users dirs are in format ~username to the web.

Then created a new user that belongs to clients group and I copied /home/httpd/cgi-bin with php to that users dir and set that user for its owner. I had a php file in that users home dir, not in cgi-bin.

Then wrote these settings to httpd.conf:

<VirtualHost *>
    ServerName localhost
    ServerAdmin celeon@gmail.com
    ScriptAlias /cgi-bin/ /home/httpd/clients/insider/cgi-bin/
    DocumentRoot /home/httpd/clients/insider
    SuexecUserGroup "insider" "clients"
</VirtualHost>

<Directory /home/httpd/clients/insider>
    Options Indexes FollowSymLinks ExecCGI
    Allow from all
</Directory>

When I point my server to localhost/phpfile.php, ps aux | grep php shows this:

apache   31804  0.1  0.9  12564  4724 ?        Ss   08:22   0:00 /usr/bin/php-cgi
apache   31807  0.0  0.9  12564  4736 ?        S    08:22   0:00 /usr/bin/php-cgi
apache   31808  0.0  0.9  12564  4736 ?        S    08:22   0:00 /usr/bin/php-cgi
insider  31809  0.2  0.9  12564  4724 ?        Ss   08:22   0:00 /usr/bin/php-cgi
insider  31810  0.0  0.9  12700  5100 ?        S    08:22   0:00 /usr/bin/php-cgi
insider  31811  0.0  0.9  12700  4876 ?        S    08:22   0:00 /usr/bin/php-cgi

Offline

#13 2005-06-21 12:46:47

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Now some more things I am trying to do and find out:

- mysql support doesn't exist for some reason in php-cgi/fcgi  - the options used in compilation were these standard ones used in Arch php package:

'--with-mysql=shared,/usr' 
'--with-mysql-sock=/tmp/mysql.sock'
 '--with-mysqli=shared'

EDIT: just set commented out mysql module active in php.ini

- eaccelerator to work (I wonder which owner/group attributes the cache files will have...)
- how could the spwaned php instances be removed automatically in some time? Why are 4-8 children needed anyway - why just one instance is not enough?
.......
EDIT: I found out that these lines in cgi-bin/php:

PHP_FCGI_MAX_REQUESTS=100
export PHP_FCGI_MAX_REQUESTS

will make each child process to handle only 100 requests until re-created - but still don't know how to remove the child processes.
..........

- setting up ~ handling for - user dirs (like url.com/~user) - perhaps also mod_rewrite rules to make ~ disappear for user so that just / will be sufficient.
- how to find out memory usage for each fcgi-php child process
- some basic speed tests using the same script and apache2/fcgi-php vs. apache1333/mod_php

Offline

#14 2005-06-21 18:16:40

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

sven wrote:

- eaccelerator to work (I wonder which owner/group attributes the cache files will have...)

I would imagine they would have permissions of the user executing php (ie the user shown on a ps output).

- how could the spwaned php instances be removed automatically in some time?

Yeah. the max requests determines how many requests each process services before terminating. Once a process is terminated, a new one is automatically started.

Why are 4-8 children needed anyway - why just one instance is not enough?

One process is the "master" process, and respawns the sub processes, keeps track of how many connections they service, etc. If you only have one process, then you are dramatically reducing the amount of concurrent connections that can be handled at the same time. But, if you want less, you can specify the number of subprocesses that get spawned.

## number of PHP childs to spawn
export PHP_FCGI_CHILDREN=12

- how to find out memory usage for each fcgi-php child process

I just use ps and grep to see how mine are behaving.

- some basic speed tests using the same script and apache2/fcgi-php vs. apache1333/mod_php

I recommend the apache bench tool (ab). Works great. I used it for alot of my web server test/benchmarking.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#15 2005-06-22 09:22:38

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

This childs/requests ratio has always been a bit unclear to me. Why wouldn't it be good to have one child that would handle something like 500 connections at one moment? Or has it something to do with connections being open? Like server is keeping connections open in interconnection with user's browser in order to be ready for more requests from that ip address?

Now I've been trying eaccelerator (new 0.9.3 version is out btw). I thought different e-accelerator processes would be started for each calling (inside the main php-fcgi process) and I thought this would make memory usage quite high - the default 16Mb for each.

When I have that cms system runnig for a user, then loading a start-up page for that user (the page has lots of includes) gets about 5.5 MB of that 16 to be allocated. The total memory consumption for the main process and the children is about 4.6 MB (but having only two children and PHP_FCGI_MAX_REQUESTS set to 500 in /cgi-bin/php)

eaccelerator info from phpinfo functions output:

Memory Size              16,777,176 Bytes
Memory Available     11,069,320 Bytes
Memory Allocated     5,707,856 Bytes

then ps aux | grep php

insider    10231  0.0  1.0  30296  5224 ?        Ss   11:29   0:00 /usr/bin/php-cgi
insider    10232  0.0  2.5  33752 12944 ?        S    11:29   0:00 /usr/bin/php-cgi
insider    10233  0.0  1.1  30692  5916 ?        S    11:29   0:00 /usr/bin/php-cgi

Then tested with eaccelerator switched off:
phpinfo showed only about 2 KB of memory consumption

but then ps aux | grep php showed this:

insider    11447  0.0  1.0  30296  5224 ?        Ss   12:07   0:00 /usr/bin/php-cgi
insider    11448  0.5  2.5  39696 13280 ?        S    12:07   0:00 /usr/bin/php-cgi
insider    11449  1.2  2.7  40620 14348 ?        S    12:07   0:00 /usr/bin/php-cgi

and on the restart and again loading the main page (eaccelerator still off)

got this:

insider    11900  1.4  1.0  30296  5224 ?        Ss   12:11   0:00 /usr/bin/php-cgi
insider    11901 10.6  2.7  40620 14236 ?        S    12:11   0:00 /usr/bin/php-cgi
insider    11902  0.0  1.0  30296  5236 ?        S    12:11   0:00 /usr/bin/php-cgi

on the third run the same result (1.0,2.7,1.0)

Then I made another test (with eaccelerator on) - just run phpinfo page from that insider site and did not go to cms page yet:

insider    13725  0.3  1.0  30296  5224 ?        Ss   12:23   0:00 /usr/bin/php-cgi
insider    13726  0.0  1.1  30692  5904 ?        S    12:23   0:00 /usr/bin/php-cgi
insider    13727  0.0  1.1  30692  5784 ?        S    12:23   0:00 /usr/bin/php-cgi

And then went on to cms page:

insider    13725  0.0  1.0  30296  5224 ?        Ss   12:23   0:00 /usr/bin/php-cgi
insider    13726  0.1  2.5  33740 12932 ?        S    12:23   0:00 /usr/bin/php-cgi
insider    13727  0.0  1.1  30692  5788 ?        S    12:23   0:00 /usr/bin/php-cgi

So this far memory usage with/without eaccelerator has seemed pretty odd to me. I thought the "Memory Allocated"  info in phpinfo output could be somehow seen with ps.

EDIT: eaccelerator.shm_ttl option could be good for eaccelerator in php.ini - setting it to certain amount of seconds has the effect kicking out scripts that were not accessed during the maount of these seconds. This is applied when memory is full and more scripts cannot be added.

EDIT2: "shm_and_disk", cache data in shared memory and on disk (default value) - this swapping is the reason why memory usage is different in different cases.

Offline

#16 2005-06-22 16:15:54

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

sven wrote:

This childs/requests ratio has always been a bit unclear to me. Why wouldn't it be good to have one child that would handle something like 500 connections at one moment? Or has it something to do with connections being open? Like server is keeping connections open in interconnection with user's browser in order to be ready for more requests from that ip address?

A single process can handle only so many simultaneous connections. A single process can only execute one set of code at a time. The rest of the requests for execution just queue up. With more child processes, less wait time in the queue.
And the max_child_requests is not how many requests can be handled at once, it is how many requests each child will handle before that child process is restarted (to clean up memory space and so forth).

Now I've been trying eaccelerator (new 0.9.3 version is out btw). I thought different e-accelerator processes would be started for each calling (inside the main php-fcgi process) and I thought this would make memory usage quite high - the default 16Mb for each.

eacelerator is a php module. it just becomes a part of the php process. just like mysql support does.

As for memory usage, it is per child process, I believe. So, when you are viewing phpinfo, you are viewing stats from only one of the php child processes..the one that serviced your connection.

eaccelerator info from phpinfo functions output:

Memory Size              16,777,176 Bytes
Memory Available     11,069,320 Bytes
Memory Allocated     5,707,856 Bytes

then ps aux | grep php

insider    10231  0.0  1.0  30296  5224 ?        Ss   11:29   0:00 /usr/bin/php-cgi
insider    10232  0.0  2.5  33752 12944 ?        S    11:29   0:00 /usr/bin/php-cgi
insider    10233  0.0  1.1  30692  5916 ?        S    11:29   0:00 /usr/bin/php-cgi

For example. Lets assume that process 10233 served the request for you phpinfo page. The 6th field, having the header RSS (resident set size), shows how much non-swapped in resident memory is being used by that process, in kilobytes. So process 10233 is using 5,916KB. The phpinfo output claim the process that served it is using 5,707,856 Bytes, or about 5,574KB.
But consider that eacelerator also was involved in serving the phpinfo page itself or maybe another page or two in the mean time, so you might need to tack on a tad bit more memory usage. Still, those numbers are pretty close.

EDIT: eaccelerator.shm_ttl option could be good for eaccelerator in php.ini - setting it to certain amount of seconds has the effect kicking out scripts that were not accessed during the maount of these seconds. This is applied when memory is full and more scripts cannot be added.

That is not what the value means. If you look here (http://eaccelerator.net/IniSettingsUk) you will see what each of the config values means.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#17 2005-06-23 12:21:50

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Ok, thanks for the info, I was not sure about what all the columns mean in ps output.

Now I am trying to get this fastcgi thing to work with older apache, too. I'll let know how it goes.

Found this interesting article of apache 2 vs. apache 1 PHP script execution speed.

Offline

#18 2005-06-23 16:36:44

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Tried to do most things like with apache 2 and that did not work out. Here is the output of httpd -l:

Compiled-in modules:
  http_core.c
  .
  .
  .
  mod_setenvif.c
suexec: disabled; invalid wrapper /usr/sbin/suexec

I found this from apache docs:

COMPILING APACHE FOR USE WITH SUEXEC
By default, Apache is compiled to look for the suEXEC wrapper in the following location.

From src/include/httpd.h

     /* The path to the suExec wrapper, can be overridden in Configuration */
     #ifndef SUEXEC_BIN
     #define SUEXEC_BIN  HTTPD_ROOT "/sbin/suexec"
     #endif

If your installation requires location of the wrapper program in a different directory, either add -DSUEXEC_BIN="</your/path/to/suexec>" to your CFLAGS (or edit src/include/httpd.h) and recompile your Apache server. See Compiling and Installing Apache (and the INSTALL file in the source distribution) for more info on this process.

EDIT: gave up fighting to set the suexec dir smile I let suexec reside in /usr/sbin/ - I hope the reason why apache 2 suexec is copied to /usr/bin is only because of some kind of style/convention of Arch and not because of security.

Offline

#19 2005-06-23 19:55:42

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Suexec, fastcgi and other stuff is working fine in apache 1.3.33. I'll post the packages later.

Now I've been wondering why I can't set directory rights to 700 - apache gives 403:forbidden error. This seems weird because owner should be able to access the dir and I thought apache suexec'ed php-fast cgi process could do that.

EDIT: suexec is operating at first as nobody when it goes though the 20 step list - that is why permission has to be at least 711 for dirs and then 700 for scripts. This info was here.

Offline

#20 2005-06-24 09:44:50

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Wow, mod_security rules for sure  big_smile  I can even make it filter out POST payloads that are containing certain words. Great for automatically helping clients to keep their blogs/forums clean.

Just use this for example: SecFilterSelective "POST_PAYLOAD" "poker-w.com" "redirect:http://www.cybercrime.gov/reporting.htm"

It would be great to redirect to the self-page instead - got to see how it works.
EDIT (29.06.05): I have managed to do it with php - just did this:
Made a file called ohbehave.php and wrote this into it:

<?php
$url = $_SERVER['HTTP_REFERER'];
if(!strstr($url,'ohbehave.php'))
   header("Location: $url");
?>

That if is needed to disallow self-reference (and endless recursive loop). Then I needed to set that "redirect:" above to ohbehave.php

In the meantime here are some more tips and rulesets:
a  sample ruleset
tips on helping to keep forums clean
making a blacklist
a nice introduction

Offline

#21 2005-06-24 16:59:03

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Some new things came up: php has some very influental functions that can make a cracker's actions much easier - these are exec(), fwrite(), fopen and some more.

Because php-fastcgi daemons can have access to /etc, it could be easy to cat /etc/passwd or other files assisting in hacking to /tmp/somefile and then include it to the current .php page for example. So it would be much disastrous if there would be vulnerabilities for example in some file upload scripts. 

Many scripts need to have those - especially Menalto Gallery for example. Even if I would make a different php.ini just for every user, this file could be overwritten by the php-fcgi owner... I think the only way would be to set more strict access permissions to /etc and other important dirs.

Chrooting starts to seem more and more important thing to implement. This whole thing seems to get larger as I dig deeper into it sad

Offline

#22 2005-06-24 18:18:50

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

In php.ini you can set safe_mode, and you can manually disable access to functions. I usually disable the phpinfo function on a production system.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#23 2005-06-25 20:30:00

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I put aside the older apache and fcgi since it did not feel that much faster - and configuring apache 2 seems to be easier. So I won't put the packages visible. Instead I will now concentrate on chrooting user dirs, apache 2 and php along with fastcgi. I still would like my users to be able use exec() and other functions. I will also try to chroot mysql separately and let it be in contact with apache via link created from apache chroots /tmp dir to mysqls chroot dirs /tmp.

Offline

#24 2005-06-25 22:13:20

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

um..why? apache doesn't talk directly to mysql. The php instances connect to mysql, usally over a socket, but it works over lo too. There should be no reason to share a temp dir.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#25 2005-06-26 15:56:14

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

What I meant was that apache, php, php-cgi, fastcgi, sendmail and some other needed programs would be in one chroot jail and then mysql would be in another. Both chroot environments would have /tmp dirs and the chroots would be on the same partition and file system. Then I read from a freebsd doc that php and mysql could communicate via socket in /tmp. Thus mysql generates link in its /tmp dir and I would make a soft link from apache/php.. chroots /tmp to that mysql chroots /tmp. I am not sure though if this is a better way than localhost method. Perhaps speedwise the socket method is better?

Offline

Board footer

Powered by FluxBB