                           PHP Patch for cgiwrap

   Date:                Mon, Jan 13 2000
   Author of the patch: Piotr Klaban <poczta@klaban.torun.pl>
   Patch status:        Not included in the official cgiwrap distribution
   Last modified:       Tue, Mar 12 2002

  DESCRIPTION


The problem is: how to allow users to run php scripts/phtml pages
with their own userids. I do not want to force users chmod
scripts to 755, and add #!.../php line in the beggining.
This patch allow use cgiwrap with apache, and php that
has to be compiled as a normal program that could be used with cgis.

If you want your users run PHP with user priviledges
then you need to install patched cgiwrap, or run each
php page as a cgi script with #!/path/php at the top.

I think it would be possible to use both - apache php module
for RootDirectory, and cgiwrap-php for user directories.

But do not think you would be safe now.
Notice, that you should disable FileInfo option in
Apache configuration file httpd.conf with directive:
'AllowOverride -FileInfo' (or just do not enable it with 'AllowOverride All'.
Otherwise users could override your php-cgiwrap redirection with
'AddType application/x-httpd-php .moo in .htaccess file
(thanks to Daniel Lorch for pointing this out).

Patch changes includes:
- scipts do not need to have execute bit set (all of the
  other cgiwrap checks (uid,gid etc.) are performed) (utils.c)
- configure.in - new option --with-php=/path/to/your/php
- cgiwrap.c - check if the filename has 'php-' string (PHP_Enable
  is then set to 1) -> then php is execv'ed instead of the cgi script.
- config.h.in - new macro - PATH_PROG_PHP
- util.c - new variable PHP_Enable, chmod 755 *.php not necessary
- fetch.c - PATH_INFO is not "fixed" when running php scripts (p5),
  now (p6) the username is stripped from the PATH_INFO

  CHANGES

   Tue, Apr 30 2002 - patchlevel p7

          + Just  one line change - in the multiuser mode there was spell
            mistake in my patch - If instead of 'if' word (Thanks to Akop
            Pogosian)
        Tue, Dec 11 2001 - patchlevel p6
               o Patchlevel  p5  is buggy - it was not a good idea not to
                 change  PATH_INFO,  since  cgiwrap leaves there the user
                 name.  Thanks  to  Ben  Logan <ben@wblogan.net> for hard
                 test  work.  Please update the patch to p6. Note that p4
                 is  working  correct, just PHP_SELF would not be set. p6
                 is working correct with PHP_SELF bug fixed.
        Fri, Dec 07 2001 - patchlevel p5 (buggy)
               o fixed  PHP_SELF problem (php read this variable from the
                 PATH_INFO  environment  variable, and cgiwrap should not
                 alter  that  variable (Thanks for noting this problem to
                 Cedric Veilleux <cedric@smashweb.com>)
               o now you can not use PHP indirectly
                 (http://server/cgi-bin/php-cgiwrap/user/script.php)
                 since   PHP  would  not  allow  it  when  compiled  with
                 force-cgi-redirect;
               o update for cgiwrap version 3.7.1
        Wed, Aug 29 2001
            (patchlevel p4) - update for cgiwrap version 3.7 release
        Mon, May 28 2001
            (patchlevel  p3)  - update for line number changes in cgiwrap
            cvs version;
        Mon, Jan 22 2001
            - with new php version, CVS cgiwrap version is a must;
        Tue, Oct 31 2000
            (patchlevel p2) - minor bug with macro definitions:
  -       execv(scriptPath, CreateARGV(scrStr, argc,argv));
  +#ifdef PATH_PROG_PHP
  +       if (PHP_Enable)
  +               execv(phpPath, CreateARGV(scriptPath, argc,argv));
  +       else
+ +#endif
  +               execv(scriptPath, CreateARGV(scrStr, argc,argv));
- +#endif
(Thanks to Steve Hsieh <steveh@eecs.umich.edu>).
        Wed, Jul 26 2000
            (patchlevel p1) - there was an error in the patch with script
            name.  If  the logging was enabled, cgiwrap displays error 0.
            (Thanks to i hang <ihang@infosede.com>).
         DOWNLOAD
                          cgiwrap-3.7.1-p7-withphp.diff.gz
            REQUIREMENTS Use the cgiwrap version 3.7.1.
         HOW TO INSTALL Follow the instructions:

         1. download cgiwrap, and the patch
         2. unpack it (gzip -d cgiwrap-3.7-p7-withphp.diff.gz)
         3. apply the patch, and compile To apply the patch use commands:
    cd cgiwrap-version # or cd cgiwrap
    gzip -dc cgiwrap-3.7-p7-withphp.diff.gz | gpatch -p1
    # (you have to use GNU patch for this)

    autoconf # to produce new configure file - do not skip this
    configure --with-php=/usr/local/bin/php ...
    gmake # etc.
            I use the following command to configure my site:

./configure --with-check-shell --with-rlimit-core=0 --with-rlimit-cpu=30 \
  --without-redirect-stderr --without-logging-file --with-perl=/usr/bin/perl \
  --with-httpd-user=www --with-cgi-dir=WWW \
  --with-install-dir=/usr/local/apache/WWW/cgi-bin --with-wall \
  --with-local-contact-email=root@man.torun.pl \
  --with-php=/usr/bin/php

            You  need  to change httpd-user value, paths etc. You have to
            use --with-php=/path/to/php, though.
         4. install   cgiwrappers:   "gmake  install"  will  install  two
            additional wrappers (hard links) php-cgiwrap and php-cgiwrapd
            into your cgi-bin server directory.
         5. PHP:
               o compile php as a normal program (not apache module);
               o use  --enable-discard-path  as configure argument, since
                 PATH_TRANSLATED is (for now) wrongly updated in cgiwrap;
                 php  would  set PATH_TRANSLATED from SCRIPT_FILENAME env
                 variable;
            The  most important is to compile php as an ordinary program,
            not  as  apache  module  (use --enable-discard-path configure
            option during php compilation).
         6. configure apache with:
    AddHandler php-cgiwrap .php
    Action php-cgiwrap /cgi-bin/php-cgiwrap
         7. reload apache
         8. test if it works

          On my site it is less or more configured with:

# for normal 'system cgi' scripts do not use cgiwrap:
<Location /cgi-bin>
AddHandler cgi-script .cgi
</Location>

# for other use it as needed:
AddHandler cgi-wrapper .cgi
Action cgi-wrapper /cgi-bin/cgiwrap

# that is specially for php developers:
AddHandler php-cgiwrap .php
AddHandler php-cgiwrap .php3
AddHandler php-cgiwrap .phtml
Action php-cgiwrap /cgi-bin/php-cgiwrap
Action php-cgiwrapd /cgi-bin/php-cgiwrapd

# in other place add index.php etc.

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.phtml
 index.wml

  SEE ALSO

          See the cgiwrap homepage and cgiwrap mailing list.

          See also my post to cgiwrap mailing list.

          Look for CVS version of cgiwrap at:
          http://sourceforge.net/cvs/?group_id=8209

          See the mod_phpcgiwrap page at
          http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html
