[MacPorts] #10511: RFE: Apache2 - patches for adding suexec support

MacPorts noreply at macports.org
Tue Jan 12 04:33:13 PST 2010 

#10511: RFE: Apache2 - patches for adding suexec support
---------------------------------+------------------------------------------
  Reporter:  tonytung@…          |       Owner:  imajes@…           
      Type:  enhancement         |      Status:  new                
  Priority:  Low                 |   Milestone:                     
 Component:  ports               |     Version:                     
Resolution:                      |    Keywords:  haspatch           
      Port:  apache2             |  
---------------------------------+------------------------------------------

Comment(by ddebernardy@…):

 So... following up on this, and documenting it a bit, in case it helps.

 Required active modules for Apache2 + PHP5 using fastcgi + suExec:

 {{{
 php5 @5.3.1_1+apache2+fastcgi+macosx
 mod_fcgid @2.2_0
 apache2 @2.2.14_0+darwin+darwin_9+preforkmpm+suexec
 }}}

 To build apache2 +suexec, I had to add the following to
 /opt/local/var/macports/sources/rsync.macports.org/release/ports/www/apache2/Portfile:

 {{{
 variant suexec {
         configure.args-append "--enable-suexec --with-suexec "\
                               "--with-suexec-
 logfile=${prefix}/apache2/logs/suexec.log "\
                               "--with-suexec-
 safepath=${prefix}/local/bin:/usr/local/bin:/usr/bin:/bin "\
                               "--with-suexec-uidmin=500 "\
                               "--with-suexec-gidmin=20 "\
                               "--with-suexec-caller=_www "\
                               "--with-suexec-docroot=/Users "\
                               "--with-suexec-userdir=Sites "
 }
 }}}

 This was on MacOS 10.4. The gid and user might need to be different under
 10.5...

  - gid =20 corresponds to the staff group.
  - _www is the apache user (as returned by `id 70`)
  - all users need a corresponding folder in the docroot folder, so
 docroot=/Users
  - all users sites' files should be in their respective userdir, so
 userdir=Sites

 Configuring it as above allows to keep the default settings from
 mod_userdir, which scans for /Users/*/Sites. There might be a better way,
 though. (The DocumentRoot directive in httpd.conf can be left untouched.)

 Individual users then need a few lines in httpd.conf, as so:

 {{{
 <Directory /Users/denis/Sites>
 AddHandler fcgid-script .php
 FCGIWrapper /Users/denis/Sites/cgi-bin/php-cgi .php
 AllowOverride All
 Options +ExecCGI +Indexes
 </Directory>
 }}}

 The username obviously needs to be changed, and I'm guessing that
 something better could be added as a generic rule for all sites. The php-
 cgi file above is in fact a wrapper for the /opt/local/bin/php-cgi file
 that was installed by php5 +fastcgi:

 {{{
 #!/bin/sh
 # Wrapper for PHP-fcgi
 # This wrapper can be used to define settings before launching the PHP-
 fcgi binary.

 # Define the path to php.ini. This defaults to /etc/phpX/cgi.
 export PHPRC=/opt/local/etc/php5

 # Define the number of PHP child processes that will be launched.
 # This is low to control memory usage on a server that might launch
 # these processes for lots of domains.
 # Leave undefined to let PHP decide.
 export PHP_FCGI_CHILDREN=1

 # Maximum requests before a process is stopped and a new one is launched
 export PHP_FCGI_MAX_REQUESTS=5000

 # Launch the PHP CGI binary
 # This can be any other version of PHP which is compiled with FCGI
 support.
 exec /opt/local/bin/php-cgi
 }}}

 the cgi file needed chown denis:staff, and chmod ugo+x.

 I hope this helps...

 @ jmr: I'm CC'ed on the ticket, in case you need someone to test a final
 patches to make this work automatically.

-- 
Ticket URL: <http://trac.macports.org/ticket/10511#comment:13>
MacPorts <http://www.macports.org/>
Ports system for Mac OS

More information about the macports-tickets mailing list