# apache: run PHP-scripts under their uid/gid

## nielchiano

I have a server running multiple name-based vhosts. Is there a way to have all PHP-scripts run under something different than apache:apache? preferably I'd like to run them as apache:gid_of_php_file.

Is this possible? how?

The main reason I'm currently looking for it is quota-management, but I'm sure other reasons will pop up.Last edited by nielchiano on Tue Dec 06, 2005 2:45 pm; edited 1 time in total

----------

## dgaffuri

I'm not sure if it works, but I would try to

```
chmod g+sx
```

the scripts. Of course apache must be a member of all the used groups.

----------

## nielchiano

well, the point would be to make it impossible (read: more difficult) for users to violate their quota by creating files under apache:apache; so kindly asking them to set their scripts sgid isn't realy going to help, I think...

----------

## xces

 *nielchiano wrote:*   

> Is thes possible? how?

 

Try SuPHP (www-apache/mod_suphp). Another possiblity is using PHP as CGI or FastCGI in combination with SuExec.

----------

## nielchiano

 *xces wrote:*   

>  *nielchiano wrote:*   Is thes possible? how? 
> 
> Try SuPHP (www-apache/mod_suphp). Another possiblity is using PHP as CGI or FastCGI in combination with SuExec.

 

I've been searching around a bit. Apparently suPHP is not realy fast, so I'm considering FastCGI. This will also allow me to upgrate to PHP5 on a vhost-per-vhost basis.

However, I couldn't find much easy to follow guides on what is needed to get PHP-fastCGI to work together. Perhaps you can help me?

I emerged dev-lang/php with the cgi use flag set, but I don't see any php-fcgi binary. What am I missing.

----------

## xces

 *nielchiano wrote:*   

> I emerged dev-lang/php with the cgi use flag set, but I don't see any php-fcgi binary. What am I missing.

 

Look at the output of /usr/bin/php-cgi -v.  :Wink: 

----------

## nielchiano

 *xces wrote:*   

>  *nielchiano wrote:*   I emerged dev-lang/php with the cgi use flag set, but I don't see any php-fcgi binary. What am I missing. 
> 
> Look at the output of /usr/bin/php-cgi -v. 

 

 :Smile:  It seems to be fcgi compatible...

Do you have some experience with PHP under fastCGI and suexec? I've been googling around, found a lot of examples (which do different things), but hardly any explanation what should be done. my apache is also running in a chroot, so that will complicate things even more.

----------

## nielchiano

I've been able to get it to work...(followed this, this and this) however, I still have problems:

once apache starts those php-cgi binaries under the right user, It can't kill them, so they hang around "forever" how can I solve that?

Also, I havn't found what the env-variables actualy mean (the PHPRC and PHP_FCGI_CHILDREN)

----------

## nielchiano

 *nielchiano wrote:*   

> once apache starts those php-cgi binaries under the right user, It can't kill them, so they hang around "forever" how can I solve that?
> 
> Also, I havn't found what the env-variables actualy mean (the PHPRC and PHP_FCGI_CHILDREN)

 

solved

----------

## nielchiano

I'm thinking about the folowing setup:

* apache + mod_fastCGI running non-chrooted

* PHP scripts started via mod_fastCGI + suexec and chrooted to their dir

What do you think about it? is it secure?

And how can it be done? (I have a working mod_fastCGI+suexec+php, only the chroot part I don't know)

----------

