SPOJE.NET

Technická dokumentace

Uživatelské nástroje

Nástroje pro tento web


howto:hosting:cgi_su_exec

Rozdíly

Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.

Odkaz na výstup diff

howto:hosting:cgi_su_exec [2014/01/18 10:36] (aktuální)
Řádek 1: Řádek 1:
 +====== SU Exec CGI a PHP skriptů ======
  
 +===== Apache multiuser MPM =====
 +
 +Install **apache2-mpm-itk** package. Then you can set different users/​groups in [[man>​apache2|apache'​s]] sites-available. Nice bonus is that you can also set custom nice value and limit number of parallel clients for each site:
 +
 +<code apache>
 +        <​IfModule mpm_itk_module>​
 +                AssignUserID myusername www-data
 +                #​MaxClientsVHost 10
 +                #NiceValue 6
 +        </​IfModule>​
 +</​code>​
 +
 +===== Lighttpd =====
 +
 +For [[man>​lighttpd]] you can use CGI wrapper (you have to compile it by yourself). First enable **mod_cgi** and then assign .php to desired wrapper. Also be sure that you are not using //​mod_fastcgi//​ (well... while not completely unreal, it's probably not easy or desirable to wrap fastcgi).
 +
 +<code conf lighttpd.conf>​
 +cgi.assign = (
 + #"​.pl" ​ => "/​usr/​bin/​perl",​
 + #"​.cgi"​ => "/​usr/​bin/​perl",​
 + "​.php" ​ => "/​usr/​local/​bin/​php-cgi-su",​
 +)
 +</​code>​
 +
 +==== CGI SU Exec wrapper code ====
 +
 +Source: https://​github.com/​Harvie/​Programs/​tree/​master/​c
 +
 +<code c php-cgi-su.c>​
 +/*
 + * SU-EXEC Wrapper
 + * Execute script under it's owner'​s privileges
 + * CopyLefted by: Harvie 2oo9
 +*/
 +
 +#include <​stdio.h>​
 +#include <​stdlib.h>​
 +#include <​unistd.h>​
 +#include <​sys/​types.h>​
 +#include <​sys/​stat.h>​
 +#include <​pwd.h>​
 +#include <​grp.h>​
 +
 +#define INTERPRETER "/​usr/​bin/​php-cgi"​
 +//#define INTERPRETER "/​usr/​bin/​perl"​
 +
 +void auth_fail() {
 + puts("​Error:​ Permission denied!\n"​);​
 + exit(-1);
 +}
 +
 +int main(int argc, char **argv, char **environ) {
 + if(argc != 2) { //Do not accept more than one argument
 + printf(
 + "​SetUID wrapper for %s interpretter\n"​
 + "​Usage:​ %s script\n\n",​
 + INTERPRETER,​ argv[0]
 + );
 + return -1;
 + }
 + struct stat st;
 + if(!stat(argv[1],​ &st)) {
 + //Get user info
 + struct passwd *pw;
 + if(!(pw = getpwuid(st.st_uid))) auth_fail();​
 + //Change groups
 + if(initgroups(pw->​pw_name,​ pw->​pw_gid)) auth_fail();​
 + //Change UID a GID
 + if(setgid(pw->​pw_gid)) auth_fail();​
 + if(setegid(pw->​pw_gid)) auth_fail();​
 + if(setuid(pw->​pw_uid)) auth_fail();​
 + if(seteuid(pw->​pw_uid)) auth_fail();​
 + //Fail if still have root privileges
 + if(getuid() == 0 || getgid() == 0) auth_fail();​
 + //Launch binary
 + return(execve(INTERPRETER,​ argv, environ));
 + } else {
 + printf("​Error:​ Can't stat file: %s\n\n",​ argv[1]);
 + return -1;
 + }
 +}
 +</​code>​
howto/hosting/cgi_su_exec.txt · Poslední úprava: 2014/01/18 10:36 (upraveno mimo DokuWiki)