SPOJE.NET

Technická dokumentace

Uživatelské nástroje

Nástroje pro tento web


howto:hosting:cgi_su_exec

SU Exec CGI a PHP skriptů

Apache multiuser MPM

Install apache2-mpm-itk package. Then you can set different users/groups in apache's sites-available. Nice bonus is that you can also set custom nice value and limit number of parallel clients for each site:

        <IfModule mpm_itk_module>
                AssignUserID myusername www-data
                #MaxClientsVHost 10
                #NiceValue 6
        </IfModule>

Lighttpd

For lighttpd you can use CGI wrapper (you have to compile it by yourself). First enable mod_cgi and then assign .php to desired wrapper. Also be sure that you are not using mod_fastcgi (well… while not completely unreal, it's probably not easy or desirable to wrap fastcgi).

lighttpd.conf
cgi.assign		= (
			#".pl"  => "/usr/bin/perl",
			#".cgi" => "/usr/bin/perl",
			".php"  => "/usr/local/bin/php-cgi-su",
)

CGI SU Exec wrapper code

Source: https://github.com/Harvie/Programs/tree/master/c

php-cgi-su.c
/*
 * SU-EXEC Wrapper
 * Execute script under it's owner's privileges
 * CopyLefted by: Harvie 2oo9
*/
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <grp.h>
 
#define INTERPRETER "/usr/bin/php-cgi"
//#define INTERPRETER "/usr/bin/perl"
 
void auth_fail() {
	puts("Error: Permission denied!\n");
	exit(-1);
}
 
int main(int argc, char **argv, char **environ) {
	if(argc != 2) { //Do not accept more than one argument
		printf(
			"SetUID wrapper for %s interpretter\n"
			"Usage: %s script\n\n",
			INTERPRETER, argv[0]
		);
		return -1;
	}
	struct stat st;
	if(!stat(argv[1], &st)) {
		//Get user info
			struct passwd *pw;
			if(!(pw = getpwuid(st.st_uid))) auth_fail();
		//Change groups
			if(initgroups(pw->pw_name, pw->pw_gid)) auth_fail();
		//Change UID a GID
			if(setgid(pw->pw_gid)) auth_fail();
			if(setegid(pw->pw_gid)) auth_fail();
			if(setuid(pw->pw_uid)) auth_fail();
			if(seteuid(pw->pw_uid)) auth_fail();
		//Fail if still have root privileges
			if(getuid() == 0 || getgid() == 0) auth_fail();
		//Launch binary
			return(execve(INTERPRETER, argv, environ));
	} else {
		printf("Error: Can't stat file: %s\n\n", argv[1]);
		return -1;
	}
}
howto/hosting/cgi_su_exec.txt · Poslední úprava: 2014/01/18 10:36 autor: 127.0.0.1