[tech] Mussel upgraded to Debian stable "jessie" 8.2

David Adam zanchey at ucc.gu.uwa.edu.au
Fri Nov 6 21:26:24 AWST 2015


On Mon, 2 Nov 2015, David Adam wrote:
> On Sun, 1 Nov 2015, David Adam wrote:
> > The main remaining issue is that suPHP was removed from the Debian 
> > distribution as it is not actively maintained. I am not keen on running 
> > mod_php for user directories without it; there's too much risk in the PHP 
> > running in other contexts (e.g. cacti, Roundcube, etc.). For now, I've 
> > disabled PHP code in user home directories (see mods-enabled/php5.conf).
> > 
> > I'll try and work out an alternative in the next few days, although others 
> > are most welcome to take a look.
> 
> I think I've got all the webspace stuff working again. I ended up install 
> libapache2-mod-ruid2, which uses Linux capabilities to switch user as 
> required. I am a little concerned, because while I think I have a good 
> understanding of suexec/suPHP, ruid2 is a little more impenetrable.

[MSH] took a look, and ruid2 doesn't actually drop the switch-user 
capability like it should, so you can probably use it to take over the 
world.

I've switched back to suexec. PHP now runs with CGI in user home 
directories. The magic of `update-binfmt` means that people don't need to 
add shebangs to the scripts, but they do need to be made executable, so I 
ran the following over /home/*/*/public-html:
find . -name \*.php ! -perm /100 -perm -444 -exec chmod ugo+x '{}' \;

Hopefully that does the trick for now.

An alternative was suggested by the Anchor crew:
http://www.anchor.com.au/hosting/support/How-Anchor-runs-PHP-as-CGI-on-shared-hosting
but that looked approximately zero fun.

[DAA]


More information about the tech mailing list