What is suPHP?
suPHP is a tool for executing PHP scripts with the permissions
of their owners. It consists of an Apache module (mod_suphp) and a
setuid root binary (suphp) that is called by the Apache module to
change the uid of the process executing the PHP interpreter.
suPHP can enhance the security because the PHP scripts will run as the webserver user and not as "root" or "nobody". So if a different webuser has a vulnerable script installed, it will not affect your scripts.
Installing suPHP
Enter the following command
yum install mod_suphp
If you get an error that the package doesn't exist, you have to install RPMforge repository.
If you don't know what's your server architecture (32 bit or 64 bit), you can find out using the following command:
uname -i
For CentOS 6 64 bit:
rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
For CentOS 6 32 bit:
rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
For CentOS 5 64 bit:
rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
For CentOS 5 32 bit:
rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
Now install mod_suphp again:
yum install mod_suphp
Configuring suPHP
After installing suPHP, you will have two new configuration files:
/etc/suphp.conf - This is the configuration file for suPHP
/etc/httpd/conf.d/suphp.conf - This is the configuration file for the suPHP and Apache module
Edit the suPHP configuration file first:
Make sure that the value of webserver_user=apache
Change the value x-httpd-php=php:/usr/bin/php to:
Change the value x-suphp-cgi=execute:!self to:
/etc/suphp.conf - This is the configuration file for suPHP
/etc/httpd/conf.d/suphp.conf - This is the configuration file for the suPHP and Apache module
Edit the suPHP configuration file first:
vi /etc/suphp.conf
Make sure that the value of webserver_user=apache
webserver_user=apache
Change the value x-httpd-php=php:/usr/bin/php to:
x-httpd-php="php:/usr/bin/php-cgi"
Change the value x-suphp-cgi=execute:!self to:
x-suphp-cgi="execute:!self"
That's how your /etc/suphp.conf should look like (You can just copy/paste it if you want):
Edit /etc/httpd/conf.d/suphp.conf
Delete everything inside the /etc/httpd/conf.d/suphp.conf (or comment them), except the following line:
We do this to disable suPHP globally, specially if you have more than one virtual host and more than one user, and we enable suPHP below on the virtual hosts in order to run the php scripts as their owner user.
Editing httpd.conf
Go to your Webmin tab => Servers => Apache Webservers => Global Configuration => Edit Config File
Make sure the /etc/httpd/conf/httpd.conf is selected,
Find all the <virtualHost> directives and add the following inside everyone:
Replace userName and groupName by your linux user and group respectively.
If you don't know what's your userName and groupName are, go to VirtualMin tab, choose the virtual server you're editing and you will see the user and group name, in my case, it's "lab" and "lab"
My modified Virtual Host look like the following:
If you were using FastCgi (FCGI), you will have to remove (or comment) the following lines
Editing Virtual Hosts default Template
One last thing is we have to add suPHP as the default php handler for the new virtual hosts.
Restart Apache
Try to access your website now.
[global]
logfile=/var/log/httpd/suphp_log
loglevel=info
webserver_user=apache
docroot=/
env_path=/bin:/usr/bin
umask=0022
min_uid=500
min_gid=500
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
[handlers]
;Handler for php-scripts
x-httpd-php="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
logfile=/var/log/httpd/suphp_log
loglevel=info
webserver_user=apache
docroot=/
env_path=/bin:/usr/bin
umask=0022
min_uid=500
min_gid=500
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
[handlers]
;Handler for php-scripts
x-httpd-php="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
Edit /etc/httpd/conf.d/suphp.conf
vi /etc/httpd/conf.d/suphp.conf
Delete everything inside the /etc/httpd/conf.d/suphp.conf (or comment them), except the following line:
LoadModule suphp_module modules/mod_suphp.so
We do this to disable suPHP globally, specially if you have more than one virtual host and more than one user, and we enable suPHP below on the virtual hosts in order to run the php scripts as their owner user.
Editing httpd.conf
Go to your Webmin tab => Servers => Apache Webservers => Global Configuration => Edit Config File
Make sure the /etc/httpd/conf/httpd.conf is selected,
Find all the <virtualHost> directives and add the following inside everyone:
suPHP_Engine on
suPHP_UserGroup userName groupName
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
suPHP_UserGroup userName groupName
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
Replace userName and groupName by your linux user and group respectively.
If you don't know what's your userName and groupName are, go to VirtualMin tab, choose the virtual server you're editing and you will see the user and group name, in my case, it's "lab" and "lab"
My modified Virtual Host look like the following:
<VirtualHost *:80>
SuexecUserGroup "#507" "#506"
ServerName lab.tech-and-dev.com
ServerAlias www.lab.tech-and-dev.com
DocumentRoot /home/lab/public_html
ScriptAlias /cgi-bin/ /home/lab/cgi-bin/
suPHP_Engine on
suPHP_UserGroup lab lab
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
SuexecUserGroup "#507" "#506"
ServerName lab.tech-and-dev.com
ServerAlias www.lab.tech-and-dev.com
DocumentRoot /home/lab/public_html
ScriptAlias /cgi-bin/ /home/lab/cgi-bin/
suPHP_Engine on
suPHP_UserGroup lab lab
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
If you were using FastCgi (FCGI), you will have to remove (or comment) the following lines
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php5
AddHandler fcgid-script .php5
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php5
Editing Virtual Hosts default Template
One last thing is we have to add suPHP as the default php handler for the new virtual hosts.
- Go to Virtualmin tab
- Click System Settings
- Click Server Templates
- Choose your template (or click on Default Settings if you haven't created a template)
- On top, next to "Edit template section", choose "Apache Website"
- Below the DocumentRoot ${HOME}/public_html, add the following:
- suPHP_Engine on
suPHP_UserGroup ${USER} ${GROUP}
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php - So overall it will look like this:
- ServerName ${DOM}
ServerAlias www.${DOM}
DocumentRoot ${HOME}/public_html
suPHP_Engine on
suPHP_UserGroup ${USER} ${GROUP}
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined - Scroll down and change Default PHP execution mode to Apache mod_php (run as Apache's user)
Restart Apache
service httpd restart
Try to access your website now.
Problems and Solutions
If you get a 500 error, make sure your directories and files permissions are correct. Directories should have permission 755 and files should have permission 644.Any questions? Please leave your comment below!