z3 Networks Ltd.

suPHP… Just Use It!

What is suPHP you might ask?  Well short of me explaining in detail what you can read elsewhere check out this link if you have any questions past my short description: http://www.suphp.org/FAQ.html

“suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.”

So you might be asking yourself whats the point in restructuring your PHP enviroment to utilize ‘suPHP’ instead of ‘phpsuexec.’  Probably the best reasons are protection of user’s files, better details for logging and monitoring services, which in turn protects servers, clients, and end-users from spammers.

Issues of concern when enabling suPHP in a production hosting enviroment…

You can take various steps to limit any possible problems for users within your enviroment, though due to the large amount of various user configurations for .htaccess files and file/folder permissions in shared hosting enviroments there may be some issues that will arise once you enable suPHP.

If you use CPanel there are some scripted checks and such that can be utilized to update/correct permissions after the change, though the .htaccess/php.ini changes are not automated and will be addresses later on in this article.

File and folder permissions previously set to ‘nobody:nobody’ so that the apache webserver could modify/delete files must be changed.  These files now need to be set to the user’s ownership for the file and group.

[root@server public_html]# ls
drwxr-x—   19 username nobody   4096 Sep 30 14:17 public_html/
[root@server public_html]# chown –R username:username public_html/
[root@server public_html]# ls
drwxr-x—   19 username username   4096 Sep 30 14:17 public_html/

Any user who is using php_flag directives in their .htaccess files must remove these php_flag directives, such as register_globals, from their .htaccess file and create a php.ini within their /home/username/public_html/ folder and add the directive to there.

[root@server public_html]# cat .htaccess | grep php_flag
php_flag expose_php off
php_flag servertokens_prod off

[root@server public_html]# cat php.ini | grep php
expose_php = 0
servertokens_prod = 0

The following command will list all users that have .htaccess files with php_flag directives located within them…

find /home/*/public_html -name “.htaccess” | xargs grep “php_value” >> /root/phpvalues.txt

After enabling suPHP you will have to fix file and folder permissions, and if you have Fantastico you will want to set the configuration to use phpsuexec.

(Execute @ /home)

find -perm 777 -exec chmod 755 {} \; -print
find -perm 666 -exec chmod 644 {} \; -print
rm -f /tmp/sess_*

(CPanel Scripts)

/scripts/postsuexecinstall
/scripts/chownpublichtmls
/scripts/fixsuexeccgiscripts

Related posts:

1. APF and BFD vs. CSF and LFD
2. Security Advisory-Redhat OpenSSH blacklist script
3. Microsoft SQL Server ErrorLogs and Transaction Logs Eating Your Storage?
4. Redhat Release Bugfix: CentOS RPM Updates Still Behind