Netips III

Summary:

• Installing php-cgiwrap

Installing php-cgiwrap

(Contributed by Mandrake Linux user Jeff Bert)

• Got 'php-4.1.2.tar.gz' and compiled as a CGI Binary it using (minimum options shown):
• Untarred it to /usr/local/src
• cd /usr/local/src/php-4.1.2
• ./configure ––enable-track-vars ––enable-force-cgi-redirect ––with-config-file-path=/etc
• make
• strip php
• cp php /home/USERNAME/public_html/cgi-bin/php4-12.cgi
• chmod 700 /home/USERNAME/public_html/cgi-bin/php4-12.cgi
• Got 'cgiwrap-3.7.1.tar.gz' from: http://cgiwrap.unixtools.org/
• Got 'php-cgiwrap' patch from: http://www.klaban.torun.pl/patches/cgiwrap/
• Un-tarred 'cgiwrap-3.7.1.tar.gz' into '/usr/local/src' and patched it
• cd /usr/local/src/cgiwrap-3.7.1
• cp /path-to-patch/cgiwrap-3.7.1-p7-withphp.diff.gz .
• gzip -dc cgiwrap-3.7.1-p7-withphp.diff.gz | patch -p1
• Created "cgi-sys" for system cgi-bin to run cgiwrap from:
• mkdir -p /var/www/cgi-sys
• chmod 755 /var/www/cgi-sys
• Added to my httpd.conf file:

~ScriptAlias /cgi-sys/ /var/www/cgi-sys/<br> <Directory /var/www/cgi-sys><br> ~AllowOverride None<br> Options None<br> Order allow,deny<br> Allow from all<br> </Directory>

• Compiled cgiwrap with (minimum options shown):
• ./configure ––with-httpd-user=apache ––with-install-dir=/var/www/cgi-sys
• make
• make install
• Got rid of the php-cgiwrap links to cgiwrap so that I can custom install those separately with a second cgiwrap compile:
• rm -f /var/www/cgi-sys/php
• make clean
• ./configure ––with-httpd-user=apache ––with-install-dir=/tmp ––with-cgi-dir=public_html
• make
• make install
• cp /tmp/cgiwrap /var/www/cgi-sys/php-cgiwrap
• ln /var/www/cgi-sys/php-cgiwrap /var/www/cgi-sys/php-cgiwrapd
• rm /tmp/cgiwrap* -f
• Set up 'Vhosts.conf' with for each host that is php wrapped (not all are):

~AddHandler php-cgiwrap .php<br> Action php-cgiwrap /cgi-sys/php-cgiwrap/USERNAME/cgi-bin/php4-12.cgi

So what I did was create two different wrappers… one for cgi scripts that have to be called via:

http:domain/cgi-bin/cgiwrap/USERNAME/path-to-script-inside-cgi-bin/script.cgi

and the other for php files called via:

http:domain/path-to-php-script-NOT-inside-cgi-bin/script.php

The reason this works is that the patch to cgiwrap allows you to get rid of the #1.1 /path-to-php/ and the php CGI binary allows you to not have to put the php files in the cgi-bin.

Now, this raises some security issues that goes against the ilk of those who swear by cgiwrap religiously. Putting a language parser in the cgi-bin is a security risk per http://www.cert.org/advisories/CA-1996-11.html . So, I'm not sure this is the best setup for everyone.
The reasons I did this was that so I could create scripts that would be easily ported to my alternate account at pair.com. Also, some of my webusers wanted to customize their php installs and I wanted to give them that but to force the risk to them. Because wrapping php puts the risk to damage to the system to their files only, i hope ;)

section index

Related Resources:

cgiwrap egroup
Running PHP Scripts Securely

Revision / Modified: June 05, 2002
Author: Jeff Bert, Tom Berger

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.