RSS Feed

Apache with mod_suphp

0

November 11, 2011 by admin

Usually on most Apache servers, PHP runs as an Apache module.
This means that it runs under the user apache, but doesn’t require the execute flag.
Under this mode, files or directories that you want your PHP scripts to be able to write to need to have 777 permissions (eg. read/write/execute at user/group/world level).
In order to execute a PHP file in this mode, it simply needs to be world readable.
The problem with this setup is that theorically this allows every other user on the same server to read your PHP files! Allowing other users to read your HTML files is fine, since that’s what they are for, but PHP files are not meant to be readable, they are meant to be parsed.
Many scripts store for example a database username and password to the PHP file and so every client on that server could read your PHP files to retrieve your password and access your databases.
This is clearly not very secure.
So what can be done? This is where systems like suPHP and PHPSuexec come into play.
suPHP and PHPSuexec make PHP run as CGI under your own user/group level.
This means that with suexec enabled your PHP scripts are executed under your user and you don’t have to have your files and folders with 777 permissions anymore.
In fact, If you use 777 permissions on your scripts or directories, they will not run and will instead cause a 500 internal server error when attempting to execute them.
This is done to protect you from someone abusing your scripts.
When suPHP or PHPSuexec is enabled, your scripts can have a maximum of 644 permissions (ie. read/write by you, read by everyone else) and directories can have a maximum of 755 permissions (ie read/write/execute by you, read/execute by everyone else).
So in summary, PHP running as CGI/suexec is much more secure than the older Apache module method.

This howto will walk you through setting suPHP on Redhat, Centos and Scientific Linux.

yum install mod_suphp

Next we need do disable mod_php and configure mod_suphp

To disable mod_php rename the php.conf

mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disable

Next Configure suPHP

open suphp.conf in you favorite editor

vi /etc/suphp.conf


[global]
logfile=/var/log/httpd/suphp_log
loglevel=info
webserver_user=apache
docroot=/var/www
env_path=/bin:/usr/bin
umask=0077
min_uid=500
min_gid=500

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

[handlers]
;Handler for php-scripts
#x-httpd-php=php:/usr/bin/php
x-httpd-php="php:/usr/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi=execute:!self

Next configure Apache suphp.conf located in /etc/httpd/conf.d

vi /etc/httpd/conf.d/suphp.conf


LoadModule suphp_module modules/mod_suphp.so
suPHP_Engine On
# To use suPHP to parse PHP-Files
AddHandler x-httpd-php .php
AddHandler x-httpd-php .php .php4 .php3 .phtml
suPHP_AddHandler x-httpd-php

Next Configure the Apache Virtual host.
I added mine here /etc/httpd/conf/httpd.conf
At the very bottom of the file add



ServerName www.example.com
ServerAlias www.example.com
DocumentRoot /var/www/vhosts/www.example.com/web/

Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

DirectoryIndex index.php index.html index.cgi index.htm index.php4
suPHP_Engine on
suPHP_UserGroup example example
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
ScriptAlias /cgi-bin/ /var/www/vhosts/www.example.com/web/cgi-bin/
SetEnv PHPRC /var/www/vhosts/www.example.com/etc/
ErrorDocument 404 /404.html
ServerAdmin webmaster@example.com


0 comments

Sorry, comments are closed.