suPHP is a tool that allows PHP scripts to be executed with the permissions of their owners. By not running PHP script using web server’s user rights, suPHP increase the server security.
First install httpd-devel and compiler tools:
yum install httpd-devel gcc gcc-c++ make
Download suPHP source code and extract it
wget http://www.suphp.org/download/suphp-0.7.1.tar.gz
tar -xvzf suphp-0.7.1.tar.gz
cd suphp-0.7.1
Now we compile suPHP
./configure --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-logfile=/var/log/httpd/suphp_log --with-setid-mode=paranoid --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-php=/usr/bin/php-cgi --enable-SUPHP_USE_USERGROUP=yes
make
make install
Next create suphp.conf to configure Apache so it will call suPHP for interpreting PHP scripts
nano /etc/httpd/conf.d/suphp.conf
Add this configuration:
LoadModule suphp_module modules/mod_suphp.so
suPHP_Engine on
AddType application/x-httpd-php .php
<Directory />
suPHP_AddHandler application/x-httpd-php
</Directory>
Save the file and the next step is to disable mod_php configuration as we are now using suPHP
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disabled
After we finished with Apache configuration, next we create suphp.conf file which contain suPHP configuration
nano /etc/suphp.conf
and copy this to the new file:
[global]
;Path to logfile
logfile=/var/log/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/var/www:${HOME}/public_html
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=0
; Minimum GID
After Apache and suPHP is configured, we need to add suPHP_UserGroup option on each virtual hosting we hosted on the server. For example, the domain.com virtual host would look like:
<VirtualHost 192.168.0.1:80>
DocumentRoot /home/user/public_html
<Directory "/home/user/public_html">
allow from all
Options +Indexes
</Directory>
ServerName domain.com
ErrorLog /var/log/httpd/domain.com
LogLevel warn
suPHP_UserGroup user user
</VirtualHost>
"user" should be replaced with the real username on your server who own the PHP scripts. Make sure all file owned by the "user" username otherwise you’ll get 500 error code (Internal Server Error).
Now let's test the configuration
service httpd configtest
if everything is OK, restart the Apache server
service httpd restart
Bookmark and Share
Related Article
http://markus.revti.com/2010/03/installing-suphp-on-centos-5/
First install httpd-devel and compiler tools:
yum install httpd-devel gcc gcc-c++ make
Download suPHP source code and extract it
wget http://www.suphp.org/download/suphp-0.7.1.tar.gz
tar -xvzf suphp-0.7.1.tar.gz
cd suphp-0.7.1
Now we compile suPHP
./configure --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-logfile=/var/log/httpd/suphp_log --with-setid-mode=paranoid --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-php=/usr/bin/php-cgi --enable-SUPHP_USE_USERGROUP=yes
make
make install
Next create suphp.conf to configure Apache so it will call suPHP for interpreting PHP scripts
nano /etc/httpd/conf.d/suphp.conf
Add this configuration:
LoadModule suphp_module modules/mod_suphp.so
suPHP_Engine on
AddType application/x-httpd-php .php
<Directory />
suPHP_AddHandler application/x-httpd-php
</Directory>
Save the file and the next step is to disable mod_php configuration as we are now using suPHP
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disabled
After we finished with Apache configuration, next we create suphp.conf file which contain suPHP configuration
nano /etc/suphp.conf
and copy this to the new file:
[global]
;Path to logfile
logfile=/var/log/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/var/www:${HOME}/public_html
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=0
; Minimum GID
After Apache and suPHP is configured, we need to add suPHP_UserGroup option on each virtual hosting we hosted on the server. For example, the domain.com virtual host would look like:
<VirtualHost 192.168.0.1:80>
DocumentRoot /home/user/public_html
<Directory "/home/user/public_html">
allow from all
Options +Indexes
</Directory>
ServerName domain.com
ErrorLog /var/log/httpd/domain.com
LogLevel warn
suPHP_UserGroup user user
</VirtualHost>
"user" should be replaced with the real username on your server who own the PHP scripts. Make sure all file owned by the "user" username otherwise you’ll get 500 error code (Internal Server Error).
Now let's test the configuration
service httpd configtest
if everything is OK, restart the Apache server
service httpd restart
Bookmark and Share
Related Article
http://markus.revti.com/2010/03/installing-suphp-on-centos-5/
