Many of you may be aware that SharkSpace is now implementing suPHP on shared hosting servers, which was announced here recently. Through this blog, we will try to explain to you what suPHP is about and how it is beneficial for everyone.
Securing a shared hosting server is a challenging task as it has to be secured from outside and from inside a website. Vulnerable scripts or incorrect permissions can cause compromises from inside a server. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem. Apache has built-in features too, but the performance cost of these features is prohibitive. This is where suPHP, created by Sebastian Marsching comes to the rescue.
Like Apache’s own suexec, suphp is a solution that allows PHP to run as the user and group that owns any particular website on a shared hosting server. Technically, suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the UID of the process executing the PHP interpreter.
suphp consists of two components:
* mod_suphp, an Apache module that replaces mod_php
* suphp, a setuid binary that replaces Apache’s suexec
Every time a PHP script is run, suphp has to fork Apache and then execute another copy of the PHP/CGI binary. This approach provides the absolute security benefits that we seek. It means that if a script contains a vulnerability, and got exploited, then only that particular user will be affected.
suPHP has the following advantages:
* PHP runs as your user/group
* PHP files can have permissions of 640 (hiding things like passwords from other accounts)
* Files/folders written by PHP are written as user/group (no Apache or other global user)
* Custom php.ini file per site (can add/remove security options)
Please note that suPHP does not allow permissions 666 and 777.
Some users make use of .htaccess files to set php configuration lines using php_flag var setting. Having a .htaccess file use the php_flag directive will result in a 500 error be produced. PHP flags no longer work in the .htaccess file. If you need to enable things such as register globals you can follow the below guide:
In .htaccess under public_html, add the following:
suPHP_ConfigPath /home/user/public_html
order allow,deny
deny from all
Note: You must change user to your account username.
Create a php.ini file under public_html add any of the below settings that you need:
register_globals = On
upload_max_filesize = 30M
post_max_size = 30M
memory_limit = 30M
upload_tmp_dir = 30M
max_execution_time = 180
Using a php.ini file may cause issues if your scripts use Zend Optomizer or IonCube encoding. You then just need to add the following to your php.ini file to resolve the issue:
Note: this may not be needed. Please test before using.
[Zend]
zend_extension=/usr/local/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.2.6
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.2.6
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so
For the PHP settings you do not have in your php.ini file, PHP will use our default configurations. It will not use the server php.ini but rather a default one. You may need to set other settings. You may create a phpinfo.php file in public_html with the beginning and ending php tags and the following in between to see any changes by browsing it:
phpinfo();
My Blog List
-
The repository ‘http://deb.debian.org/debian buster-backports Release’ no longer has a Release file. - [image: See all Debian/Ubuntu Linux related FAQ] When you run the sudo apt update, you may see the following message or error on a Debian Linux: Err:5 http...4 days ago
-
A Closer Look at Remote Peering: Technologies and Techniques - In the realm of digital communication, the significance of efficient internet traffic exchange has escalated with the surge in global cloud content. With...2 weeks ago
-
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples - When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the s...1 year ago
-
Clusterssh – Administer multiple ssh or rsh shells simultaneously - Sponsored Link The command opens an administration console and an xterm to all specified hosts. Any text typed into the administration console is replicate...3 years ago
-
Web Application Vulnerability Scanning Tools - Web Application Vulnerability Scanning Tools Nessus http://www.tenable.com/products/nessus PortSwigger https://portswigger.net/ qualys https://www.qualys....5 years ago
-
What You Don’t Know About Linux Open Source Could Be Costing to More Than You Think - Guest post by Marc Fisher If you would like to test out Linux before completely switching it as your everyday driver, there are a number of means by which ...5 years ago
-
Resolving Sysprep problems with App-X packages (Part 1) - This is the first of two articles explaining how to fix systems that won't Sysprep if Windows Native/App-X applications have been removed and Windows patches.6 years ago
-
V2V Communications security considerations - The future of vehicles, road infrastructure and driving are changing. We are progressing with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) ...6 years ago
-
10 UNIX / Linuz Size Command Examples for ObjectFiles - Linux size is part of GNU binutils. This utility is very helpful for programmers to analyze the data from the executable files (or object files). By defaul...9 years ago
-
Updating VMware Tools on Red Hat Enterprise/Scientific/CentOS Linux 6 for VMware ESXi 5 - In a previous post I discussed installing the open source VMware tools for Red Hat Enterprise/Scientific/CentOS Linux 6 from a yum package repository provi...12 years ago
