Ubuntu – Apache fast-cgi and php-fpm – Run PHP File as the owner

fastcgiPHPphp-fpmsuphpUbuntu

I am trying to setup FastCGI and PHP-FPM so that a php file can be executed as the owner of the file.
I am trying to replace SuPHP with FastCGI and fpm. Earlier, I had folders with different owners and groups. Each group had www-data as a member as well. When any php file was run using the browser, it was run as the owner of the file. So if a file was owned by user A (Group A – www-data and A as members), it was executed as user A

shell_exec('whoami') => return A

Now, I installed fastcgi and have configured it to run PHP files.

Here is my php5-fpm.conf file

<IfModule mod_fastcgi.c>
                AddHandler php5-fcgi .php
                Action php5-fcgi /php5-fcgi
                Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
                FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
        </IfModule>

My issue is, now when I run the same file which is owned by A,

shell_exec('whoami') => return www-data

Is it possible to run the php file as the owner using FastCGI and fpm (like with suPHP)? If so, how do I do that?

Best Answer

Yes, this is perfectly possible. User and group can be set in the FPM pool config (directives user and group).

Check

http://php.net/manual/en/install.fpm.configuration.php

for more information.

Related Solutions

Php – How to set the httpd.conf when using php-fpm with php(5.3.8) and apache2

The secret here is that php-cgi is nto a real file, it's a wrong file name use internally in Apache. You could call it as well : false-php-cgi-catcher-which-do-not-exists.

I wrote a complete php-fpm+apache2.2+chroot install guide a few days ago here. You may have a look. But try to get it working without the chroot first. Note that starting with apache 2.3 the best tool for php-fpm will be mod_proxy_fcgi

Here's an extract of the complete install guide. I use php5.external where you want to use php-cgi.

# phpfpm/fastcgi
# Here we catch the 'false' Location used to inexistent php5.external
# and push it to the external FastCgi process via a socket
# note: socket path is relative to FastCgiIpcDir
# which is set in Main configuration /etc/apache2/mods-available/fastcgi.conf
<IfModule mod_fastcgi.c>
    # all .php files will be pushed to a php5-fcgi handler
    AddHandler php5-fcgi .php

    #action module will let us run a cgi script based on handler php5-fcgi
    Action php5-fcgi /fcgi-bin/php5.external

    # and we add an Alias to the fcgi location
    Alias /fcgi-bin/php5.external /php5.external

    # now we catch this cgi script which in fact does not exists on filesystem
    # we catch it on the url (Location)
    <Location /fcgi-bin/php5.external>
        # here we prevent direct access to this Location url,
        # env=REDIRECT_STATUS will let us use this fcgi-bin url
        # only after an internal redirect (by Action upper)
        Order Deny,Allow
        Deny from All
        Allow from env=REDIRECT_STATUS
    </Location>
</IfModule>
FastCgiExternalServer /php5.external -socket myapplication.sock -appConnTimeout 30 -idle-timeout 60

Why the php-cgi wrapper script for php-fpm? (Using virtualhost and suexec.)

As an example, on a Redhat/centos machines, the php-fpm is actually a binary in /usr/sbin/ directory. It intercepts call from the server (apache/nginx) to process php requests. The settings of php-fpm can be adjusted in php-fpm.conf (http://php-fpm.org/wiki/Configuration_File), which lets you fine-tune your system. php-fpm is quite advanced and gives you a lot of control to your system.

Somehow, the php-fpm file on your system seems to be more like a normal fastcgi/cgi wrapper. If you want to bypass using "your version of php-fpm" and use php-cgi directly, you can use a custom fastcgi wrapper. An example of a custom fastcgi wrapper is:

#!/bin/bash
### Set PATH ###
PHP_CGI=/usr/bin/php-cgi
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_MAX_REQUESTS
exec $PHP_CGI

One of the options that can be set in php-fpm.conf is to let you execute php scripts as another user. Suexec also provides this function and it can be called by Apache to pass request to the fastcgi wrapper which will handle php files. Together, suexec + fastcgi provide some of key functions of php-fpm and thus can be used as an alternative.

Best Answer

Related Solutions

Php – How to set the httpd.conf when using php-fpm with php(5.3.8) and apache2

Why the php-cgi wrapper script for php-fpm? (Using virtualhost and suexec.)

Related Topic