{"id":67,"date":"2012-11-20T20:53:00","date_gmt":"2012-11-20T20:53:00","guid":{"rendered":"https:\/\/www.tech-and-dev.com\/blog\/2012\/11\/20\/installing-suphp-on-centos-with-virtualmin-webmin\/"},"modified":"2021-02-22T01:01:05","modified_gmt":"2021-02-22T01:01:05","slug":"installing-suphp-on-centos-with-virtualmin-webmin","status":"publish","type":"post","link":"https:\/\/www.tech-and-dev.com\/blog\/2012\/11\/installing-suphp-on-centos-with-virtualmin-webmin.html","title":{"rendered":"Installing suPHP on CentOS With Virtualmin\/Webmin"},"content":{"rendered":"
\n

 <\/p>\n

\"suPHP\"<\/a><\/div>\n

What is suPHP?<\/h2>\n
suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.<\/div>\n
suPHP can enhance the security because the PHP scripts will\u00a0 run as the webserver user and not as “root” or “nobody”. So if a different webuser has a vulnerable script installed, it will not affect your scripts.<\/div>\n
<\/div>\n
<\/div>\n
\n

Installing suPHP<\/h2>\n<\/div>\n

Login to your root server using SSH
\nEnter the following command<\/p>\n

yum install mod_suphp<\/span><\/div>\n

If you get an error that the package doesn’t exist, you have to install RPMforge repository.<\/p>\n

If you don’t know what’s your server architecture (32 bit or 64 bit), you can find out using the following command:<\/p>\n

uname -i<\/span><\/div>\n


\n<\/b>
\nFor CentOS 6 64 bit:<\/b><\/p>\n

rpm -i http:\/\/packages.sw.be\/rpmforge-release\/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm<\/span><\/div>\n

For CentOS 6 32 bit:<\/b><\/p>\n

rpm -i http:\/\/packages.sw.be\/rpmforge-release\/rpmforge-release-0.5.2-2.el6.rf.i686.rpm<\/span><\/div>\n

For CentOS 5 64 bit:<\/b><\/p>\n

rpm -i http:\/\/packages.sw.be\/rpmforge-release\/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm<\/span><\/div>\n

For CentOS 5 32 bit:<\/b><\/p>\n

rpm -i http:\/\/packages.sw.be\/rpmforge-release\/rpmforge-release-0.5.2-2.el5.rf.i386.rpm<\/span><\/div>\n

Now install mod_suphp again:<\/p>\n

yum install mod_suphp<\/span><\/div>\n
<\/div>\n
\n

 <\/p>\n

Configuring suPHP<\/h2>\n<\/div>\n
\n

After installing suPHP, you will have two new configuration files:
\n\/etc\/suphp.conf<\/b> – This is the configuration file for suPHP
\n\/etc\/httpd\/conf.d\/suphp.conf<\/b> – This is the configuration file for the suPHP and Apache module<\/p>\n

Edit the suPHP configuration file first:<\/span><\/b><\/p>\n

vi \/etc\/suphp.conf<\/span><\/div>\n
\n

Make sure that the value of webserver_user=apache<\/b><\/p>\n

webserver_user=apache<\/div>\n

Change the value x-httpd-php=php:\/usr\/bin\/php<\/b> to:<\/p>\n

x-httpd-php=”php:\/usr\/bin\/php-cgi”<\/div>\n

Change the value x-suphp-cgi=execute:!self<\/b> to:<\/p>\n<\/div>\n

x-suphp-cgi=”execute:!self”<\/div>\n

 <\/p>\n<\/div>\n

\n

That’s how your \/etc\/suphp.conf<\/b> should look like (You can just copy\/paste it if you want):<\/p>\n

\n

[global]
\nlogfile=\/var\/log\/httpd\/suphp_log
\nloglevel=info
\nwebserver_user=apache
\ndocroot=\/
\nenv_path=\/bin:\/usr\/bin
\numask=0022
\nmin_uid=500
\nmin_gid=500<\/p>\n

; Security options
\nallow_file_group_writeable=true
\nallow_file_others_writeable=false
\nallow_directory_group_writeable=true
\nallow_directory_others_writeable=false<\/p>\n

;Check wheter script is within DOCUMENT_ROOT
\ncheck_vhost_docroot=true<\/p>\n

;Send minor error messages to browser
\nerrors_to_browser=false<\/p>\n

[handlers]
\n;Handler for php-scripts
\nx-httpd-php=”php:\/usr\/bin\/php-cgi”<\/p>\n

;Handler for CGI-scripts
\nx-suphp-cgi=”execute:!self”<\/p>\n<\/div>\n

Edit \/etc\/httpd\/conf.d\/suphp.conf<\/span><\/b><\/p>\n

vi \/etc\/httpd\/conf.d\/suphp.conf<\/span><\/div>\n

Delete everything inside the \/etc\/httpd\/conf.d\/suphp.conf (or comment them), except the following line:<\/p>\n

LoadModule suphp_module modules\/mod_suphp.so<\/div>\n

We do this to disable suPHP globally, specially if you have more than one virtual host and more than one user, and we enable suPHP below on the virtual hosts in order to run the php scripts as their owner user.<\/p>\n

Editing httpd.conf<\/span><\/b>
\nGo to your Webmin tab => Servers => Apache Webservers => Global Configuration => Edit Config File<\/p>\n

\"Apache<\/a><\/div>\n

Make sure the \/etc\/httpd\/conf\/httpd.conf <\/b>is selected,
\nFind all the <virtualHost> directives and add the following inside everyone:<\/p>\n

suPHP_Engine on
\nsuPHP_UserGroup userName groupName<\/b><\/i>
\nAddHandler x-httpd-php .php .php3 .php4 .php5
\nsuPHP_AddHandler x-httpd-php<\/div>\n

Replace userName<\/b><\/i> and groupName<\/b><\/i> by your linux user and group respectively.<\/p>\n

If you don’t know what’s your userName<\/b> and groupName<\/b> are, go to VirtualMin<\/b> tab, choose the virtual server you’re editing and you will see the user and group name, in my case, it’s “lab” and “lab”<\/p>\n

\"lab<\/a><\/div>\n

My modified Virtual Host look like the following:<\/p>\n

<VirtualHost *:80>
\nSuexecUserGroup “#507” “#506”
\nServerName lab.tech-and-dev.com
\nServerAlias www.lab.tech-and-dev.com
\nDocumentRoot \/home\/lab\/public_html
\nScriptAlias \/cgi-bin\/ \/home\/lab\/cgi-bin\/
\nsuPHP_Engine on
\nsuPHP_UserGroup lab lab
\n<\/b>AddHandler x-httpd-php .php .php3 .php4 .php5
\nsuPHP_AddHandler x-httpd-php<\/div>\n

If you were using FastCgi (FCGI), you will have to remove (or comment) the following lines<\/p>\n

AddHandler fcgid-script .php
\nAddHandler fcgid-script .php5
\nFCGIWrapper \/home\/example\/fcgi-bin\/php5.fcgi .php
\nFCGIWrapper \/home\/example\/fcgi-bin\/php5.fcgi .php5<\/div>\n

Editing Virtual Hosts default Template<\/b><\/span>
\nOne last thing is we have to add suPHP as the default php handler for the new virtual hosts.<\/p>\n

    \n
  • Go to Virtualmin tab<\/li>\n
  • Click System Settings<\/li>\n
  • Click Server Templates<\/li>\n
  • Choose your template (or click on Default Settings if you haven’t created a template)<\/li>\n
  • On top, next to “Edit template section”, choose “Apache Website<\/b>“<\/li>\n
  • Below the DocumentRoot ${HOME}\/public_html<\/b>, add the following:<\/li>\n
  • \n
    suPHP_Engine on
    \nsuPHP_UserGroup ${USER} ${GROUP}
    \n<\/b>AddHandler x-httpd-php .php .php3 .php4 .php5
    \nsuPHP_AddHandler x-httpd-php<\/div>\n<\/li>\n
  • So overall it will look like this:<\/li>\n
  • \n
    ServerName ${DOM}
    \nServerAlias www.${DOM}
    \nDocumentRoot ${HOME}\/public_html
    \nsuPHP_Engine on
    \nsuPHP_UserGroup ${USER} ${GROUP}
    \nAddHandler x-httpd-php .php .php3 .php4 .php5
    \nsuPHP_AddHandler x-httpd-php
    \nErrorLog \/var\/log\/virtualmin\/${DOM}_error_log
    \nCustomLog \/var\/log\/virtualmin\/${DOM}_access_log combined<\/div>\n<\/li>\n
  • Scroll down and change Default PHP execution mode<\/b> to Apache mod_php (run as Apache’s user)<\/b><\/li>\n<\/ul>\n

    Restart Apache<\/span><\/b><\/p>\n

    service httpd restart<\/span><\/div>\n

    Try to access your website now.<\/p>\n<\/div>\n

    \n

    Problems and Solutions<\/h2>\n

    If you get a 500 error, make sure your directories and files permissions are correct. Directories should have permission 755 and files should have permission 644.<\/p>\n

    Any questions? Please leave your comment below!<\/b><\/p>\n

     <\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

      What is suPHP? suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter. suPHP can enhance the security because […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[48,17,11,6,22,7,81,41,82],"tags":[],"class_list":["post-67","post","type-post","status-publish","format-standard","hentry","category-apache","category-centos","category-commands","category-linux","category-php","category-ssh","category-suphp","category-virtualmin","category-webmin"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/67","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/comments?post=67"}],"version-history":[{"count":1,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/67\/revisions"}],"predecessor-version":[{"id":216,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/67\/revisions\/216"}],"wp:attachment":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/media?parent=67"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/categories?post=67"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/tags?post=67"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}