Hi,
Here's hoping that this is the right forum to post this question in, being my first post and all..

I am about to take delivery of 3 new web servers, currently we are running Apache2 & PHP5 on our production boxes. My question is, is it safe (security wise) to compile and install Apache on the new production servers? What are the security implications of having all the required development tools for the compiling of Apache and PHP on the production boxes? If this isnt a good idea, how do I *move* the Apache and PHP binaries and related files from the compile box to the live servers.
Thanks!
Dean.

Adding Apache and PHP to a production server is fine. Millions of servers around the world run this setup every day. Of course, its just like every other piece of software: stay on top of security updates. And code wisely with PHP.

I guess I didnt word my question correctly, Im more interested in the security implications of having the required tools for development eg compilers, linkers etc etc (Im not a C programmer) on the production box.

What I would do is have 1 stage/test box and install the compilers on that box. For your 3 production web server boxes, do not install compilers. Just compile apache & php on the test box and throw the necessary config files/modules/libraries/binaries over to the 3 prod boxes.

By doing this, you have no compilers for the prod boxes which means that in the case where you do get hacked, the attacker cannot do a simple wget and grap a trojan and compile it. The attacker would have to su as root, grab a compiler and its dependencies and install it which takes time.

-twantrd

Thanks, thats what I thought. Now, is there anyone that can point me to information on which files/directorys I need to move from the test box to the production box in regards to Apache and PHP?

Are you compiling apache & php from source? If you do, then you would know this answer.

-twantrd

Yes, I do compile from source (is there any other way?)
Ive never had much time to go into the details of what make, make install etc does...Im guessing its make install that copies all the files to the right locations...am I getting warm?

As a side note, I joined this forum because I was looking for answers to questions, not just "You should know the answer", if I knew the answer, then I wouldnt have bothered posting right?

For those that may also be searching for an answer to this question, here a reply I got from another forum....it might be obvious to some....

<quote>
If the OS on the testbox has the same version as the OS on the production server,
then I would suggestion you compile and install them on a separate directory ( usually default path is /usr/local).

Basically, say you install then all under /opt/local with
./configure --prefix=/opt/local/<package name> # <===pacakge name like apache213, php411...
Then you make the symbolic link from /opt/local/<package name>/bin/<executeable filename> to /opt/local/bin
such as
cd /opt/local/bin
ln -s ../apache213/bin/httpd . # <=== use related path instead of absolutely path.

If everything test ok, then you just copy over /opt/local to the production server.
Or put /opt/local on NFS server and mount on the production as /opt/local.
</quote>

Yes there are. If you are on redhat, then you can just install the rpm packages. If you are on debian, you can do an apt-get and so forth. There's others ways of getting the packages installed.

That might've sound mean on my end and I didn't mean it that way. This forum is designed to help people and not give the answers out unless it's obvious that you have tried attempting to solve your problem. It just sounded to me that you wanted a quick answer without attempting to find the answer yourself. That was what I was trying to get at.

Ok, so let's take this on a different approach. Where are you stuck on and which part have you done?

-twantrd

Sure, I understand that, I guess I must have misunderstood your answer where you asked if I was compiling from source, as I see using RPMs or apt-get as simply installing pre-compiled binarys, not compiling yourself.

You are right, I was searching for a quick answer. We are currently in the middle of an office move and server upgrade, so I dont quite have time to be trawling thru Google looking for answers, although, I did spend an hour or so trying to find out an answer to my question, I guess I was asking Google the wrong question

I did find an answer to my question as you will see above. Tho, this didnt quite answer my question properly. What I am trying to do is compile Apache PHP5 FreeTDS and a few others on a test box then move them to the production servers, the goal being not to have to have gcc, make etc etc on the production servers. The test hardware and software will be exactly the same as the production box, so no problem there. My main issue is that I dont know where Apache, PHP5 and the rest put all their required files. From the answer I got on another forum it suggests that if I compile using the --prefix switch, then the software will be installed in whichever directory I specify, eg if I use --prefix=/software/apache2 then Apache (for example) will be installed into /software/apache2. Where I am having trouble is when I compile PHP5 for example, the php.ini file expects to be in /usr/lib, and also with FreeTDS, the config files are in /usr/etc. Are there other files that go into other directorys that I dont know about? If I compile PHP with --prefix=/software/php and then just copy the /software/php to another server, will PHP still work?

I hope this is a bit clearer

That pretty much should work. If you specify './configure --prefix=/blahblah' then that would be the top directory for all your configs,libs,and so forth. So moving that over to your new box should work. Try that and run it. If it doesn't work, it should spit out an error message stating that it's missing something and that's when you start debugging. But if you're moving the top directory tree over, you're pretty much 80%+ done. I haven't done that in a while so I'm not sure what extra steps are needed.

If you tried that and still get stumped and you have exhausted your brain muscles then another approach would be to remove the compiler afterwards (gcc and g++ binaries) on your new box. Just another suggestion.

-twantrd

Thats great, cheers....I'll give it a go over the next few days and see what happens.