Friday, June 17, 2011

How to protect/secure php.ini with SuPHP?

SkyHi @ Friday, June 17, 2011
When Apache is compiled as CGI/SuPHP, it allows users to create their own php.ini file under their home directory and modify the php values as per their wish. This may increase security concerns on the server and hence to protect/secure php.ini in SuPHP enabled servers, force every user to use a common php.ini file.

This can be achieved by defining the path of php.ini using suPHP_ConfigPath. To force users to use existing server side php.ini file, create suphp_configpath.conf

# pico /usr/local/apache/conf/userdata/suphp_configpath.conf

and add the following lines

#just specify the path to the php.ini file directory

suPHP_ConfigPath /usr/local/lib/

Once done, save the file and rebuild the Apache configuration so it picks up the changes.

# /usr/local/cpanel/bin/apache_conf_distiller –update –main
# /usr/local/cpanel/bin/build_apache_conf

To verify the include files, execute:


It will display the path to the .conf file you created. Restart the Apache service once

/scripts/restartsrv httpd

This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.