Brandon Mercer wrote:
Anon wrote:
Hello :)
My questions can be summarised as :
1) What is the easiest way to install php in CGI mode on OBSD?
2) Why doesn't OBSD have a package for php that includes the CGI version?
3) Why doesn't OBSD have a suphp package? Is there any special reason?
I ask these questions because suphp (http://www.suphp.net) is a
program that switches the uid of php scripts run under apache, so they
run as uid of the script owner instead of uid of the webserver. This
makes it similar to SuEXEC, a very well known security program that
does the same thing for perl scripts, and is included in the OBSD
system. I find it critical to have as a security tool, because without
it any local user can use php scripts to send mail as 'nobody' or
'www' - without much in the way of logs, and they can also browse the
files of other users via scripts... and generally do a lot of things
they should not be able to do.
As OBSD is focused on security, it makes a lot of sense to me that
OBSD would at least include the CGI version of PHP in its php-core
packages, and preferably have a suphp package too.
Now, I realise that suphp is mainly made for linux - but I do think it
should be ported for OBSD, because, frankly, without it, allowing
local users to run php scripts on your webserver is a very insecure
idea. Lots of people run webservers on OBSD (like myself) and we're
concerned that OBSD provides no obvious way to remedy this
exploit-waiting-to-happen.
It'd be consistent with your policy of including suexec to also
include suphp. I'm trying to go with the OBSD guide's advice and only
use the packages, but this is difficult when there are (imho)
essential tools (and even the things they depend on) which aren't
available as packages :-(
Suggestions would be very welcome :)
Ok, you've convinced me.... now my suggestion: Port it! We here at
Openbsd like to SUAC! Good luck!
Brandon
For a program to become other users, it must have root privs. It must
be used with caution. I don't know if there is enough confidence in php
yet.
