November 11, 2011 by admin
Usually on most Apache servers, PHP runs as an Apache module.
This means that it runs under the user apache, but doesn’t require the execute flag.
Under this mode, files or directories that you want your PHP scripts to be able to write to need to have 777 permissions (eg. read/write/execute at user/group/world level).
In order to execute a PHP file in this mode, it simply needs to be world readable.
The problem with this setup is that theorically this allows every other user on the same server to read your PHP files! Allowing other users to read your HTML files is fine, since that’s what they are for, but PHP files are not meant to be readable, they are meant to be parsed.
Many scripts store for example a database username and password to the PHP file and so every client on that server could read your PHP files to retrieve your password and access your databases.
This is clearly not very secure.
So what can be done? This is where systems like suPHP and PHPSuexec come into play.
suPHP and PHPSuexec make PHP run as CGI under your own user/group level.
This means that with suexec enabled your PHP scripts are executed under your user and you don’t have to have your files and folders with 777 permissions anymore.
In fact, If you use 777 permissions on your scripts or directories, they will not run and will instead cause a 500 internal server error when attempting to execute them.
This is done to protect you from someone abusing your scripts.
When suPHP or PHPSuexec is enabled, your scripts can have a maximum of 644 permissions (ie. read/write by you, read by everyone else) and directories can have a maximum of 755 permissions (ie read/write/execute by you, read/execute by everyone else).
So in summary, PHP running as CGI/suexec is much more secure than the older Apache module method.
This howto will walk you through setting suPHP on Redhat, Centos and Scientific Linux.
yum install mod_suphp
Next we need do disable mod_php and configure mod_suphp
To disable mod_php rename the php.conf
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disable
Next Configure suPHP
open suphp.conf in you favorite editor
; Security options
;Check wheter script is within DOCUMENT_ROOT
;Send minor error messages to browser
;Handler for php-scripts
;Handler for CGI-scripts
Next configure Apache suphp.conf located in /etc/httpd/conf.d
LoadModule suphp_module modules/mod_suphp.so
# To use suPHP to parse PHP-Files
AddHandler x-httpd-php .php
AddHandler x-httpd-php .php .php4 .php3 .phtml
Next Configure the Apache Virtual host.
I added mine here /etc/httpd/conf/httpd.conf
At the very bottom of the file add
Options Indexes FollowSymLinks
Allow from all
DirectoryIndex index.php index.html index.cgi index.htm index.php4
suPHP_UserGroup example example
AddHandler x-httpd-php .php .php3 .php4 .php5
ScriptAlias /cgi-bin/ /var/www/vhosts/www.example.com/web/cgi-bin/
SetEnv PHPRC /var/www/vhosts/www.example.com/etc/
ErrorDocument 404 /404.html
Category Apache | Tags:
Sorry, comments are closed.