What about adding a cgi-version of php to /home/httpd/cgi-bin/ when emerging mod_php. The cgi-version has several advantages, which the mod version doesn't have, e.g. suexec support.
I'm wondering if this should be done. You mention several advantages. The only one I am aware of is the suexec. The module version also outperforms the CGI by a long way. There would be security issues involved in adding it to the cgi-bin, as well as some problems with controlling which method gets run on {.php,.php3} files from apache. Maybe this should warrent a seperate cgi_php (need a better name!) ebuild? Additionally, this would be useful in supporting other HTTP servers instead of just Apache.
Well this sounds OK. But there are no security issues with the cgi binary, it's indead more secure than the mod_php version because of the suexe support (yes that's the only, but very important, reason). I think the cgi_php or php-cgi name is OK.
It's quite possible adding a php-cgi ebuild now, using the php.eclass. I still need to discuss it with robbat2, though.
Using suPHP (www.suphp.org) would add some additional security.
on my own System i have a phpcli and a phpcgi binary. Well I think the php cgi Version should be in the system path and out of the webtree. You can then add a symlink vom phpcli to php on default. ( and perhaps with USE Flags you can define which one should be used for the php binary eg if the link phpcgi->php or phpcli->php should be done).
Ok, one issue remains. What's the _correct_ location to put the cgi-bin php binary into? it shouldn't be named 'php' as it is meant to co-exist with /usr/bin and it shouldn't be on the system path by default.
it should be in the cgi dir i think
as of the 4.3.4-r1 series, now we can go for this. everybody ok with /var/www/localhost/cgi-bin ?
Is there a reason why it can't go in as /usr/bin/php-cgi ? Stu
/usr/bin/php-cgi would be good IMHO. To get around the need for #! notation in the top of the .php files you can use the binfmt feature of the kernel, so there is no need to have it in the cgi-bin directory (which is bad, yet again IMHO). Here is a url that mentions this: http://www.pookey.co.uk/php-secure.php *waiting happily for /usr/bin/php-cgi*
that #! hack is not good, as we will have both php and php-cgi binaries, and I personally write some scripts in PHP that aren't for web usage anyway. The person that wrote that doc you linked to wasn't that wise, as you could very easily get the same effect just with suexec and adding setting up apache to run php-cgi itself (via suexec) and still not need #!. php-cgi is coming soon, i'm just testing out the package now. It's going in as /usr/bin/php-cgi
dev-php/php-cgi is now in the tree