suPHP — SkyHi @ Wednesday, February 03, 2010
What is suPHP:- Normally in a webserver setup, virtual hosting setup, users have their virtual hosts directories, in which they upload their web content. Definitely the virtual hosts directories are owned by each virtual host owner individually. However, the problem comes when they create a file through PHP scripts. The file gets created as owner and group apache (apache:apache) . Once such a file is created, the site owner is not able to change ownership, permissions of this file. Nor he can delete it or rename it. And now this file becomes a pain and a nightmare to handle. Such problems are commonly being experienced by webmasters setting up Joomla CMS on their sites. The configuration.php file gets created as (apache:apache) and then the problem of it's maintenance starts. The solution is to run PHP scripts / programs as the user who owns the php file, which is the webmaster / FTP user account. Apache comes with SuExec, but it works only with CGI programs. The solution to our problem is suPHP.
It was a real pain setting suPHP, because the documentation which comes with it, or on the website, is not clear.
I have used the following links to get help for suPHP.
Note that my example.com directory and the index.php file within it are owned by webmaster:apache :-
[root@kworkhorse etc]# ls -l /var/www/vhosts/ total 4 drwxr-xr-x 2 webmaster apache 4096 2008-06-04 00:18 example.com
[root@kworkhorse etc]# ls -l /var/www/vhosts/example.com/ total 4 -rw-r--r-- 1 webmaster apache 37 2008-06-04 00:18 index.php
Service httpd restart
Open a browser and try opening the www.example.com site (whatever is your virtualhost).
You should get the following , as a result of successful execution of suphp for your virtualhost.
[root@kworkhorse ~]# tail -f /var/log/httpd/suphp_log [Wed Jun 04 10:43:18 2008] [info] Executing "/var/www/vhosts/example.com/index.php" as UID 501, GID 48
File Creation Test: (Last Test, for which we undergo all this pain) :- -------------------------------------------------------------------- Create a file through php script. It SHOULD get created as user webmaster and group apache (if your setup is successful).
Here is the code you can put in a file, say createfile.php in your documentroot. Note it is a MUST to setup the ownership and permission of your php file as the same owner / group of your document root.
<?php $file="testfile.html"; $fp=fopen($file,"w"); # echo "This script is being run as user (ID) : ". fileowner('createfile.php') . "<br>"; echo "The owner of the script being run : get_current_user : " . get_current_user() . "<br>"; echo "The UID of the user: int getmyuid ( void ) : " . getmyuid() . "<br>";
if (fwrite($fp,"<h1>Hello</h1>")) echo "File created."; else echo "File not created !!!"; fclose($fp); ?>
Run this file through browser and you should see a file created as testfile.html in your documentroot . Just for the sake of completeness of this document, the contents of that file would be a word "Hello".
As you can see from the file list below, the file is successfully created in my documentroot, with correct ownership and permissions.
[root@kworkhorse ~]# cd /data/downloads/suphp-0.6.3
[root@kworkhorse suphp-0.6.3]# vi src/apache2/mod_suphp.c
Find the following two lines and change ACCESS_CONF to RSRC_CONF | ACCESS_CONF in them:
Original: --------- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"), AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
Edited: ------- AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"), AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
If you don't do the above patch, you will constantly get stupid messages, such as:-
[root@kworkhorse suphp-0.6.3]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Syntax error on line 996 of /etc/httpd/conf/httpd.conf: suPHP_AddHandler not allowed here [FAILED]
OR, If you have defined it in your /etc/httpd/conf.d/suphp.conf :-
[root@kworkhorse conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: Syntax error on line 43 of /etc/httpd/conf.d/suphp.conf: suPHP_AddHandler not allowed here [FAILED]
;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true
;Send minor error messages to browser errors_to_browser=true
; Handler for php-scripts (MUST: change the following to php-cgi instead of php) ; x-httpd-php=php:/usr/bin/php x-httpd-php=php:/usr/bin/php-cgi
;Handler for CGI-scripts x-suphp-cgi=execute:!self
Setup the suphp to be enabled site-wide. If you want to enable / disable it for a specific virtual host, you can use the suPHP_Engine on/off settings in that particular virtualhost configuration.
[root@kworkhorse etc]# vi /etc/httpd/conf.d/suphp.conf
LoadModule suphp_module modules/mod_suphp.so suPHP_Engine on AddHandler x-httpd-php .php AddHandler x-httpd-php .php .php4 .php3 .phtml suPHP_AddHandler x-httpd-php # Don't enable the following line. It is supposed to work in virtual hosts. # And each virual host may (WILL) have different user. Group may be same. eg. "suPHP_UserGroup webmaster apache" # suPHP_UserGroup apache apache
I have the following VirtualHost definition in my apache config file:-