webcp.hostinghacks.net/slackware | suphp
PHP scripts run as the generic 'apache' user for every virtual host. The same goes for any CGI script. This means that all of your client's scripts have to be read and execute enabled for the 'apache' user, and they will be invoked by the web server as the user 'apache'. This presents two problems: 1) Any client can construct a script that can read another client's scripts (which sometimes contain database passwords or other goodies) since all scripts must be read-enabled for the 'apache' user (typically 755 permissions). This can be prevented by safe_mode, which limits a script from accessing a file not owned by the same user as the script. 2) It can be hard to tell which user is running a script because the web server always invokes the script as the user 'apache'. This makes it hard to detect spammers who often upload scripts to do a mass mailing, then delete it before you have a chance to find it. If you look in your maillog all you will see is 'apache', and a ps will only show 'apache'. SuPHP is a wrapper that runs the PHP script as the user who owns the script (similar in concept to suexec, but for PHP). This allows the client to set permissions on their scripts to 700, and not have to worry about other clients snooping around. Also, if the script invokes sendmail, e.g. mail(), then that username will appear in the maillog for each message sent.
### Build a PHP CGI ###
cd /usr/src wget http://public.planetmirror.com/pub/php/distributions/php-4.3.11.tar.gz # wget http://hostinghacks.net/dist/php-4.3.11.tar.gz tar -zxf php-4.3.11.tar.gz cd /usr/src/php-4.3.11 ./configure \ --prefix=/usr \ --program-prefix=cgi- \ --with-apache=no \ --enable-force-cgi-redirect \ --enable-discard-path \ --with-config-file-path=/etc/apache/ \ --with-mysql \ --with-zlib \ --with-gd \ --enable-gd-native-ttf \ --with-png-dir=/usr \ --with-jpeg-dir=/usr \ --enable-pic \ --with-ncurses \ --enable-shmop \ --enable-xml \ --enable-track-vars \ --with-ttf \ --with-gettext \ --with-openssl=/usr \ --disable-cli \ --disable-pear \ --disable-debug \ --enable-safe-mode make && make install ### Install suPHP ### cd /usr/src wget http://www.suphp.org/download/suphp-0.5.2.tar.gz tar -xzf suphp-0.5.2.tar.gz cd /usr/src/suphp-0.5.2 ./configure \ --prefix=/usr \ --with-min-uid=100 \ --with-min-gid=100 \ --with-apache-user=nobody \ --with-php=/usr/bin/cgi-php \ --with-logfile=/var/log/apache/suphp_log \ --with-setid-mode=owner make && make install
configure httpd.conf:
cat > /etc/apache/httpd.conf << "EOF"
ServerType standalone
ServerName serv1.fatpenguinhosting.com
ServerAdmin servadmin@localhost.usa
ServerRoot "/usr"
PidFile /var/run/httpd.pid
ScoreBoardFile /var/run/httpd.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
Port 80
User nobody
Group nobody
HostnameLookups Off
UseCanonicalName On
Listen 80
Listen 443
LoadModule vhost_alias_module libexec/apache/mod_vhost_alias.so
LoadModule env_module libexec/apache/mod_env.so
LoadModule define_module libexec/apache/mod_define.so
LoadModule config_log_module libexec/apache/mod_log_config.so
LoadModule mime_magic_module libexec/apache/mod_mime_magic.so
LoadModule mime_module libexec/apache/mod_mime.so
LoadModule negotiation_module libexec/apache/mod_negotiation.so
LoadModule status_module libexec/apache/mod_status.so
LoadModule info_module libexec/apache/mod_info.so
LoadModule includes_module libexec/apache/mod_include.so
LoadModule autoindex_module libexec/apache/mod_autoindex.so
LoadModule dir_module libexec/apache/mod_dir.so
LoadModule cgi_module libexec/apache/mod_cgi.so
LoadModule asis_module libexec/apache/mod_asis.so
LoadModule action_module libexec/apache/mod_actions.so
LoadModule speling_module libexec/apache/mod_speling.so
LoadModule userdir_module libexec/apache/mod_userdir.so
LoadModule alias_module libexec/apache/mod_alias.so
LoadModule rewrite_module libexec/apache/mod_rewrite.so
LoadModule access_module libexec/apache/mod_access.so
LoadModule auth_module libexec/apache/mod_auth.so
LoadModule expires_module libexec/apache/mod_expires.so
LoadModule headers_module libexec/apache/mod_headers.so
LoadModule usertrack_module libexec/apache/mod_usertrack.so
LoadModule log_forensic_module libexec/apache/mod_log_forensic.so
LoadModule setenvif_module libexec/apache/mod_setenvif.so
LoadModule watch_module libexec/apache/mod_watch.so
### LoadModule php4_module libexec/apache/libphp4.so
LoadModule ssl_module libexec/apache/libssl.so
LoadModule suphp_module libexec/apache/mod_suphp.so
ClearModuleList
AddModule mod_suphp.c
AddModule mod_vhost_alias.c
AddModule mod_env.c
AddModule mod_define.c
AddModule mod_log_config.c
AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_actions.c
AddModule mod_speling.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_expires.c
AddModule mod_headers.c
AddModule mod_usertrack.c
AddModule mod_log_forensic.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_watch.c
###AddModule mod_php4.c
AddModule mod_ssl.c
DirectoryIndex index.html index.htm index.php index.shtml default.htm
AddHandler x-httpd-php .php
suPHP_Engine on
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
<Directory />
Options FollowSymLinks Includes
AllowOverride All
</Directory>
DocumentRoot "/var/www/htdocs"
<Directory "/var/www/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_watch.c>
<Location /watch-info>
SetHandler watch-info
</Location>
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.html
</IfModule>
<IfModule mod_mime.c>
TypesConfig /etc/apache/mime.types
</IfModule>
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile /etc/apache/magic
</IfModule>
ErrorLog /var/log/apache/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache/access_log common
ServerSignature On
<IfModule mod_alias.c>
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</IfModule>
<IfModule mod_autoindex.c>
IndexOptions FancyIndexing
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>
<IfModule mod_mime.c>
AddCharset ISO-8859-8 .iso8859-8
AddCharset ISO-8859-2 .iso-pl
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251
AddCharset CP866 .cp866
AddCharset UTF-8 .utf8
AddType application/x-tar .tgz
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
</IfModule>
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/log/apache/ssl_cache
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/apache/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /var/log/apache/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
## VIRTUAL HOSTS CONFIGURED BY WEB CONTROL PANEL
Include /home/webcp/httpd/include/include.httpd
EOF
Check all settings in config.php. Any settings not applied here will default from
/home/webcp/web/config.inc.php. To leave a setting to it's default remove
it from config.php.
cat > /home/webcp/config.php << "EOF" <? // System $cfg['adminmail'] = 'servadmin@localhost.usa'; $cfg['sysname'] = 'serv1.fatpenguinhosting.com'; $cfg['ssl'] = true; $cfg['port'] = 2081; $cfg['httpd_mode'] = 'apache'; $cfg['loglevel'] = 2; $cfg['log_system'] = 'file'; $cfg['logfile'] = '/var/log/webcp.log'; $cfg['accesslog'] = '/var/log/apachecp/access'; $cfg['devhd'] = '/dev/md3'; $cfg['key'] = 'used.4.db.encryption'; $cfg['pid'] = '/var/run/webcp/webcp.pid'; $cfg['basedir'] = '/home/webcp'; $cfg['webdir'] = '/home'; $cfg['webname'] = 'web'; $cfg['os'] = 'linux'; $cfg['osversion'] = 'RedHat9.0'; // (*no setting exists for slack. use redhat9.0*) $cfg['ftpserver'] = 'proftpd'; $cfg['mailserver'] = 'sendmail'; // alternate = 'virtualqmail'; // Mysql $cfg['dbhost'] = 'localhost'; $cfg['dbuser'] = 'root'; $cfg['dbpass'] = 'dbpasswd'; $cfg['dbname'] = 'webcp'; $cfg['dbadminuser'] = 'root'; $cfg['dbadminpass'] = 'used.4.db.backups'; // Interface $cfg['sslang'] = 'php,ssi,perl,ssl,awstats'; $cfg['cookiesec'] = true; $cfg['ucount'] = 25; $cfg['bandwidth'] = false; $cfg['lang'] = 'english'; $cfg['defaultskin'] = 'bluefade'; // DNS (none|mail|bind|tinydns|mydns|pdns) $cfg['dns_system'] = 'bind'; $cfg['dns_email'] = 'servadmin@localhost.usa'; $cfg['dns_server1'] = 'ns1.fatpenguinhosting.com'; $cfg['dns_server2'] = 'ns2.fatpenguinhosting.com'; $cfg['mail_exchanger1'] = 'mx1.fatpenguinhosting.com'; $cfg['mail_exchanger2'] = 'mx2.fatpenguinhosting.com'; //to sync with a secondary: $cfg['masterip']=" 172.16.0.1"; // IMAP settings $cfg['uwimap'] = false; $cfg['uwimapdir'] = '/var/imap'; $cfg['allowed_cfg'] = 'dbhost|dbuser|dbpass|dbname| sysname|adminmail|os|osversion|defaultlang|key|httpd_mode'; $cfg['badusers'] = ' root bin daemon adm lp sync shutdown halt mail news uucp operator games gopher ftp nobody nscd mailnull ident rpc xfs httpd apache named webmail dovecot webcp mysql smmsp pop gdm sshd '; // Server Side HTTP config Location // Double quotes are used here because single quotes are needed within the strings $cfg['ss']['perl'] = "\tAddHandler cgi-script .cgi .pl\n\t <Directory '%PATH%'>\n\tOptions +ExecCGI\n\t</Directory>"; $cfg['ss']['php'] = "\t#php_admin_flag engine On \t#php_admin_value doc_root %PATH% \t#php_admin_value safe_mode_exec_dir .:%PATH% \t#php_admin_value open_basedir .:/tmp:/usr/sbin:/usr/share/pear:".$cfg['php_lib'].":%PATH% \tAddType application/x-httpd-php .php .php4 .php3 .phtml \tAddType application/x-httpd-php-source .phps\n"; $cfg['ss']['ssi'] = "\tAddType text/html .shtml\n\tAddHandler server-parsed .shtml"; $cfg['ss']['awstats'] = "\tAlias /awstatsclasses \"/usr/local/awstats/wwwroot/classes/\" \tAlias /awstatscss \"/usr/local/awstats/wwwroot/css/\" \tAlias /awstatsicons \"/usr/local/awstats/wwwroot/icon/\" \tScriptAlias /awstats/ \"/usr/local/awstats/wwwroot/cgi-bin/\" \t<Directory \"/usr/local/awstats/wwwroot\"> \t\tOptions None \t\tAllowOverride None \t\tOrder allow,deny \t\tAllow from all \t</Directory>"; // Sendmail Configurations $cfg['mail_spool'] = '/var/spool/mail'; $cfg['mail_access'] = '/etc/mail/access'; $cfg['mail_virtuser'] = '/etc/mail/virtusertable'; $cfg['mail_aliases'] = '/etc/mail/aliases'; $cfg['mail_sendmail'] = '/etc/mail/local-host-names'; // Service stop / start / restart $cfg['init']['httpd'] = '/etc/rc.d/rc.httpd'; $cfg['init']['httpd-cp'] = '/etc/rc.d/rc.apachecp'; $cfg['init']['sendmail'] = '/etc/rc.d/rc.sendmail'; $cfg['init']['named'] = '/etc/rc.d/rc.bind'; // Service PID (for monitoring) $cfg['spid']['httpd'] = '/var/run/httpd.pid'; $cfg['spid']['httpd-cp']= '/var/run/httpd-cp.pid'; $cfg['spid']['sendmail']= '/var/run/sendmail.pid'; $cfg['spid']['named'] = '/var/run/named/named.pid'; $cfg['spid']['proftpd'] = '/var/run/proftpd.pid'; $cfg['spid']['pop3'] = '/var/run/sendmail.pid'; $cfg['spid']['imap'] = '/var/run/dovecot/master.pid'; $cfg['spid']['httpd-cp'] = '/var/run/apachecp.pid'; ?> EOF chmod 600 /home/webcp/config.php chown webcp.webcp /home/webcp/config.php
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $headers = 'From: webmaster@example.com' . "\r\n" . 'Reply-To: webmaster@example.com' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers); ?>