Re: php in cgi mode suphp missing(?) from packages
Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? 2) Why doesn't OBSD have a package for php that includes the CGI version? 3) Why doesn't OBSD have a suphp package? Is there any special reason? I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Suggestions would be very welcome :) Ok, you've convinced me now my suggestion: Port it! We here at Openbsd like to SUAC! Good luck! Brandon
Re: php in cgi mode suphp missing(?) from packages
Brandon Mercer wrote: Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? 2) Why doesn't OBSD have a package for php that includes the CGI version? 3) Why doesn't OBSD have a suphp package? Is there any special reason? I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Suggestions would be very welcome :) Ok, you've convinced me now my suggestion: Port it! We here at Openbsd like to SUAC! Good luck! Brandon For a program to become other users, it must have root privs. It must be used with caution. I don't know if there is enough confidence in php yet.
Re: php in cgi mode suphp missing(?) from packages
On 15 Mar 2006, at 21:39, Anon wrote: As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Ports are provided by the community, not by OpenBSD. OpenBSD provides a great framework for creating ports, but does not create the actual ports. If you want a port, join the ports mailing list on ports@openbsd.org Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: php in cgi mode suphp missing(?) from packages
Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. 2) Why doesn't OBSD have a package for php that includes the CGI version? Not ported as others told u. I don't think there are many that they go this way so probably is no need 3) Why doesn't OBSD have a suphp package? Is there any special reason? Not ported. I think is crap. My opinion: I can not trust a uid 0 program in my chroot apache to provide security and have it help others may be break out of the jail. I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. I trust my chrooted apache environment on openbsd much more than the suphp package. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Thats why apache is chrooted by default in openbsd oposition to a linux system that uses suphp or cgi but is insecure in most cases and by default. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. having mini_sendmail for mail and no shell executables in /var/www as is by default or have only some mandatory safe sh script is the secure way to go. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Good luck Suggestions would be very welcome :) -Chris
Re: php in cgi mode suphp missing(?) from packages
On Thu, 16 Mar 2006 00:20:23 +0100 Chris Alatakis [EMAIL PROTECTED] wrote: Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. This is of course complete nonsense. PHP may be beloved by some people, but it has nothing to do with speed. Running PHP as a CGI is simple and has no buggy problems or anything else. Its just like running perl as a CGI instead of using mod_perl, or python as a CGI instead of mod_python. 2) Why doesn't OBSD have a package for php that includes the CGI version? Not ported as others told u. I don't think there are many that they go this way so probably is no need Uh, its enabled if you installed it through ports/packages. Just stick #!/usr/local/bin/php up at the top of your script, and you have a PHP cgi script just like you would with any other language. Adam
Re: php in cgi mode suphp missing(?) from packages
Adam wrote: Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. This is of course complete nonsense. PHP may be beloved by some people, but it has nothing to do with speed. Running PHP as a CGI is simple and has no buggy problems or anything else. Its just like running perl as a CGI instead of using mod_perl, or python as a CGI instead of mod_python. I have tried it and php as module is sunificaly faster than as cgi. And second is even faster if it compiled direct into apache and not as module. As for the buggy problems may be I wasnt clear.. Most using php they use scripts already writen and there is problems geting these scripts function as some paths and settings must be altered if you use php as CGI. 2) Why doesn't OBSD have a package for php that includes the CGI version? Not ported as others told u. I don't think there are many that they go this way so probably is no need Uh, its enabled if you installed it through ports/packages. Just stick #!/usr/local/bin/php up at the top of your script, and you have a PHP cgi script just like you would with any other language. There is no /usr/local/bin/php executable in default chrooted openbsd php install or I m blind? If you are speaking of moving this to /var/www /usr/local/bin/php that was the whole point security. Anyway I use php many years in a production enviroment as apache module. Have tried the CGI thing my opinion is just that is a second option for apache and I see no reason to do it in openbsd. Adam Do not cc me I hate that. -Chris
Re: php in cgi mode suphp missing(?) from packages
On Thu, 16 Mar 2006 03:05:49 +0100 Chris Alatakis [EMAIL PROTECTED] wrote: Adam wrote: Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. This is of course complete nonsense. PHP may be beloved by some people, but it has nothing to do with speed. Running PHP as a CGI is simple and has no buggy problems or anything else. Its just like running perl as a CGI instead of using mod_perl, or python as a CGI instead of mod_python. I have tried it and php as module is sunificaly faster than as cgi. And second is even faster if it compiled direct into apache and not as module. Of course it is slow as a CGI. What does that have to do with anything? Perl is slow as a CGI too, that's what mod_perl is for. None of that is relevant though, he wanted to know how to use PHP as a CGI, not wether you think its fast enough for him or not without even knowing what he's doing. There is no /usr/local/bin/php executable in default chrooted openbsd php install or I m blind? If you are speaking of moving this to /var/www /usr/local/bin/php that was the whole point security. Yes, there is a /usr/local/bin/php executable when you install the PHP package. Of course you have to either move it into the chroot (along with any dependancies) or disable chroot. Same as with running CGIs of any other interpreted language. And he wasn't asking about security, he was asking about running PHP without users being able to read each others database username/passwords. Some times you have to trade away some security to actually accomplish something. You could be more secure by removing your network connections, but its not very helpful if you want network access. Anyway I use php many years in a production enviroment as apache module. Have tried the CGI thing my opinion is just that is a second option for apache and I see no reason to do it in openbsd. And because you don't see the obvious use for something, that means there is no use? Do not cc me I hate that. -Chris Do not tell me not to cc you I hate that. Adam
