Anon wrote:
Hello :)
My questions can be summarised as :
1) What is the easiest way to install php in CGI mode on OBSD?
2) Why doesn't OBSD have a package for php that includes the CGI version?
3) Why doesn't OBSD have a suphp package? Is there any special reason?
I ask these questions because suphp (http://www.suphp.net) is a program that
switches the uid of php scripts run under apache, so they run as uid of the
script owner instead of uid of the webserver. This makes it similar to SuEXEC,
a very well known security program that does the same thing for perl scripts,
and is included in the OBSD system. I find it critical to have as a security
tool, because without it any local user can use php scripts to send mail as
'nobody' or 'www' - without much in the way of logs, and they can also browse
the files of other users via scripts... and generally do a lot of things they
should not be able to do.
As OBSD is focused on security, it makes a lot of sense to me that OBSD would
at least include the CGI version of PHP in its php-core packages, and
preferably have a suphp package too.
Now, I realise that suphp is mainly made for linux - but I do think it should
be ported for OBSD, because, frankly, without it, allowing local users to run
php scripts on your webserver is a very insecure idea. Lots of people run
webservers on OBSD (like myself) and we're concerned that OBSD provides no
obvious way to remedy this exploit-waiting-to-happen.
It'd be consistent with your policy of including suexec to also include suphp.
I'm trying to go with the OBSD guide's advice and only use the packages, but
this is difficult when there are (imho) essential tools (and even the things
they depend on) which aren't available as packages :-(
Suggestions would be very welcome :)
Ok, you've convinced me.... now my suggestion: Port it! We here at
Openbsd like to SUAC! Good luck!
Brandon
