UserDirs and suexec

_______________________________________________
suPHP mailing list
suPHP@...
http://lists.marsching.biz/mailman/listinfo/suphp

Re: UserDirs and suexec

This is what UNIX groups and chmod 640 are for, no?  There's a bunch of
different ways to solve your problem, but this is really more of a "how
do I secure things on UNIX" question, and definitely isn't specific to
suPHP...

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |

On Thu, Jan 10, 2008 at 10:07:21AM -0600, Brendan Hoffmann wrote:
> Hello,
> 
> I have exhausted many hours scrolling through Google but cannot find how to
> set user's PHP pages so other users cannot view the code.  Need the web
> server to still serve the pages with this tight security.  Please note,
> these are actual user pages (http://blah.com/~testo/) and not virtual hosts
> Im confused and any help I would be grateful
> 
> 
> Regards,
> Brendan

> _______________________________________________
> suPHP mailing list
> suPHP@...
> http://lists.marsching.biz/mailman/listinfo/suphp

suphp parsing files with .php anywhere in the name

Hi all,

I have a script on my server called 'blah.php.txt' which is being parsed
by suphp as a php file. I don't think it should be because the real
extension is .txt. I'm pretty sure it's suphp as my previous server
wasn't running it and didn't have this problem :)

My apache2/mods-available/suphp.conf file has this handler:

AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml

So to check what was going on, I renamed the file to include the
different php extensions and the same thing happened. I renamed it to
have a non-php extension in the middle (blah.blah.txt) and it didn't happen.

Any suggestions about how to stop this from occurring?

Using the debian package ('Version: 0.6.2-1').

Thanks!

--

-- 
Best Regards,

Chris Smith
PHP Product Manager
Lead Developer
Interspire - The World's Best Selling Webware
http://www.interspire.com

Re: suphp parsing files with .php anywhere in the name

Chris Smith wrote:
> I have a script on my server called 'blah.php.txt' which is being parsed
> by suphp as a php file. I don't think it should be because the real
> extension is .txt. I'm pretty sure it's suphp as my previous server
> wasn't running it and didn't have this problem :)
> 
> My apache2/mods-available/suphp.conf file has this handler:
> 
> AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml
> 
> So to check what was going on, I renamed the file to include the
> different php extensions and the same thing happened. I renamed it to
> have a non-php extension in the middle (blah.blah.txt) and it didn't happen.
> 
> Any suggestions about how to stop this from occurring?
> 
> Using the debian package ('Version: 0.6.2-1').

This happens on mine too. I'm using the same debian package (except mine 
is hacked to fix nfs root squash). I have suphp 0.5.1 on another server 
and it does the same thing. But when I turn off suphp and just use 
normal php it gives the code as text. So it clearly is suphp and this 
isn't a new thing. It is probably in the code.

--

-- 
Drew A. Withers <dwitherscsr@...>
Assistant CAEDM CSR
Brigham Young University

Re: suphp parsing files with .php anywhere in the name

Drew A. Withers kirjoitti:
> Chris Smith wrote:
>> I have a script on my server called 'blah.php.txt' which is being parsed
>> by suphp as a php file. I don't think it should be because the real
>> extension is .txt. I'm pretty sure it's suphp as my previous server
>> wasn't running it and didn't have this problem :)
>>
>> My apache2/mods-available/suphp.conf file has this handler:
>>
>> AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml
>>
>> So to check what was going on, I renamed the file to include the
>> different php extensions and the same thing happened. I renamed it to
>> have a non-php extension in the middle (blah.blah.txt) and it didn't happen.
>>
>> Any suggestions about how to stop this from occurring?
>>
>> Using the debian package ('Version: 0.6.2-1').
> 
> 
> This happens on mine too. I'm using the same debian package (except mine 
> is hacked to fix nfs root squash). I have suphp 0.5.1 on another server 
> and it does the same thing. But when I turn off suphp and just use 
> normal php it gives the code as text. So it clearly is suphp and this 
> isn't a new thing. It is probably in the code.
> 
> 

It's an apache feature. It does the same for .pl files.

Aki Tuomi

_______________________________________________
suPHP mailing list
suPHP@...
http://lists.marsching.biz/mailman/listinfo/suphp

Re: suphp parsing files with .php anywhere in the name

Aki Tuomi wrote:
> Drew A. Withers kirjoitti:
>> Chris Smith wrote:
>>> I have a script on my server called 'blah.php.txt' which is being parsed
>>> by suphp as a php file. I don't think it should be because the real
>>> extension is .txt. I'm pretty sure it's suphp as my previous server
>>> wasn't running it and didn't have this problem :)
>>>
>>> My apache2/mods-available/suphp.conf file has this handler:
>>>
>>> AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml
>>>
>>> So to check what was going on, I renamed the file to include the
>>> different php extensions and the same thing happened. I renamed it to
>>> have a non-php extension in the middle (blah.blah.txt) and it didn't 
>>> happen.
>>>
>>> Any suggestions about how to stop this from occurring?
>>>
>>> Using the debian package ('Version: 0.6.2-1').
>>
>>
>> This happens on mine too. I'm using the same debian package (except 
>> mine is hacked to fix nfs root squash). I have suphp 0.5.1 on another 
>> server and it does the same thing. But when I turn off suphp and just 
>> use normal php it gives the code as text. So it clearly is suphp and 
>> this isn't a new thing. It is probably in the code.
>>
>>
> 
> It's an apache feature. It does the same for .pl files.

It's not.

Without suphp it doesn't happen.

Time to dig through the source..

--

-- 
Best Regards,

Chris Smith
PHP Product Manager
Lead Developer
Interspire - The World's Best Selling Webware
http://www.interspire.com

Re: suphp parsing files with .php anywhere in the name

_______________________________________________
suPHP mailing list
suPHP@...
http://lists.marsching.biz/mailman/listinfo/suphp

Re: suphp parsing files with .php anywhere in the name

Eduardo Romero wrote:
> Have you checked that Multiviews is disabled? 
> http://httpd.apache.org/docs/2.0/content-negotiation.html#multiviews ?

     DocumentRoot /path/to/folder/html
     <Directory /path/to/folder/html>
         AllowOverride All
         Options -ExecCGI -Includes -MultiViews
     </Directory>

There is a .htaccess there but it's just a bunch of rewrite rules which 
I know aren't doing it (the same .htaccess file was used on an old 
server which wasn't running suphp and didn't cause any problems).

> Chris Smith wrote:
>> Aki Tuomi wrote:
>>   
>>> Drew A. Withers kirjoitti:
>>>     
>>>> Chris Smith wrote:
>>>>       
>>>>> I have a script on my server called 'blah.php.txt' which is being parsed
>>>>> by suphp as a php file. I don't think it should be because the real
>>>>> extension is .txt. I'm pretty sure it's suphp as my previous server
>>>>> wasn't running it and didn't have this problem :)
>>>>>
>>>>> My apache2/mods-available/suphp.conf file has this handler:
>>>>>
>>>>> AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml
>>>>>
>>>>> So to check what was going on, I renamed the file to include the
>>>>> different php extensions and the same thing happened. I renamed it to
>>>>> have a non-php extension in the middle (blah.blah.txt) and it didn't 
>>>>> happen.
>>>>>
>>>>> Any suggestions about how to stop this from occurring?
>>>>>
>>>>> Using the debian package ('Version: 0.6.2-1').
>>>>>         
>>>> This happens on mine too. I'm using the same debian package (except 
>>>> mine is hacked to fix nfs root squash). I have suphp 0.5.1 on another 
>>>> server and it does the same thing. But when I turn off suphp and just 
>>>> use normal php it gives the code as text. So it clearly is suphp and 
>>>> this isn't a new thing. It is probably in the code.
>>>>
>>>>
>>>>       
>>> It's an apache feature. It does the same for .pl files.
>>>     
>>
>> It's not.
>>
>> Without suphp it doesn't happen.
>>
>> Time to dig through the source..
>>
>>   
> 
> -- 
> ISC. Eduardo Romero
> [--Fox--]
> http://foxteck.org

--

-- 
Best Regards,

Chris Smith
PHP Product Manager
Lead Developer
Interspire - The World's Best Selling Webware
http://www.interspire.com

Re: suphp parsing files with .php anywhere in the name

I can imagine mod_mime_magic could cause what the OP is describing.

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |

On Tue, Jan 15, 2008 at 11:15:54AM +1100, Chris Smith wrote:
> Eduardo Romero wrote:
> > Have you checked that Multiviews is disabled? 
> > http://httpd.apache.org/docs/2.0/content-negotiation.html#multiviews ?
> 
> 
>      DocumentRoot /path/to/folder/html
>      <Directory /path/to/folder/html>
>          AllowOverride All
>          Options -ExecCGI -Includes -MultiViews
>      </Directory>
> 
> There is a .htaccess there but it's just a bunch of rewrite rules which 
> I know aren't doing it (the same .htaccess file was used on an old 
> server which wasn't running suphp and didn't cause any problems).
> 
> 
> > Chris Smith wrote:
> >> Aki Tuomi wrote:
> >>   
> >>> Drew A. Withers kirjoitti:
> >>>     
> >>>> Chris Smith wrote:
> >>>>       
> >>>>> I have a script on my server called 'blah.php.txt' which is being parsed
> >>>>> by suphp as a php file. I don't think it should be because the real
> >>>>> extension is .txt. I'm pretty sure it's suphp as my previous server
> >>>>> wasn't running it and didn't have this problem :)
> >>>>>
> >>>>> My apache2/mods-available/suphp.conf file has this handler:
> >>>>>
> >>>>> AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml
> >>>>>
> >>>>> So to check what was going on, I renamed the file to include the
> >>>>> different php extensions and the same thing happened. I renamed it to
> >>>>> have a non-php extension in the middle (blah.blah.txt) and it didn't 
> >>>>> happen.
> >>>>>
> >>>>> Any suggestions about how to stop this from occurring?
> >>>>>
> >>>>> Using the debian package ('Version: 0.6.2-1').
> >>>>>         
> >>>> This happens on mine too. I'm using the same debian package (except 
> >>>> mine is hacked to fix nfs root squash). I have suphp 0.5.1 on another 
> >>>> server and it does the same thing. But when I turn off suphp and just 
> >>>> use normal php it gives the code as text. So it clearly is suphp and 
> >>>> this isn't a new thing. It is probably in the code.
> >>>>
> >>>>
> >>>>       
> >>> It's an apache feature. It does the same for .pl files.
> >>>     
> >>
> >> It's not.
> >>
> >> Without suphp it doesn't happen.
> >>
> >> Time to dig through the source..
> >>
> >>   
> > 
> > -- 
> > ISC. Eduardo Romero
> > [--Fox--]
> > http://foxteck.org
> 
> 
> -- 
> Best Regards,
> 
> Chris Smith
> PHP Product Manager
> Lead Developer
> Interspire - The World's Best Selling Webware
> http://www.interspire.com
> 
> _______________________________________________
> suPHP mailing list
> suPHP@...
> http://lists.marsching.biz/mailman/listinfo/suphp

Re: suphp parsing files with .php anywhere in the name

Jeremy Chadwick wrote:
> I can imagine mod_mime_magic could cause what the OP is describing.

It is enabled, but the file doesn't have a reference to php at all (I 
can see a whole bunch of other stuff though for perl, audio, xml etc).

# grep -i 'php' /usr/share/file/magic.mime
#

--

-- 
Best Regards,

Chris Smith
PHP Product Manager
Lead Developer
Interspire - The World's Best Selling Webware
http://www.interspire.com