Monday, November 23, 2009

Secure Web Server with SuPHP SuPHP 0.7.1 on CentOS 5.2 x64

SkyHi @ Monday, November 23, 2009
Written By Adam Adamou

The suPHP Apache module together with suPHP itself provides an easy way to run PHP scripts with different users on the same server. It provides security, because the PHP scripts are not run with the rights of the webserver's user. In addition to that you probably won't have to use PHP's "safe mode", which applies many restrictions on the scripts.

For example, if you have a Joomla installation it is not necessary to enable the unsecure ftp layer or give 777 permissions in directories to install components/modules. This suPHP RPM package is using paranoid mode so you can use suphp per-virtualhost and assign per-user permissions.

Note: suPHP should only be used if you are using no CGI scripts or if all CGI scripts are run using suExec.


wget ftp://ftp.pbone.net/mirror/ftp.freshrpms.net/pub/freshrpms/pub/dag/redhat/el5/en/x86_64/dag/RPMS/mod_suphp-0.7.0-1.el5.rf.x86_64.rpm

For i386 the location is: ftp://ftp.pbone.net/mirror/ftp.freshrpms.net/pub/freshrpms/pub/dag/redhat/el5/en/i386/dag/RPMS/mod_suphp-0.7.0-1.el5.rf.i386.rpm

rpm -Uvh mod_suphp-0.7.0-1.el5.rf.x86_64.rpm

Do the following changes in the 2 suPHP configuration files:

In /etc/suphp.conf

Change loglevel=info
to loglevel=warn #Otherwise it will flood the suphp log file
Change umask=0077
to umask=0022
Change x-httpd-php=php:/usr/bin/php to x-httpd-php=php:/usr/bin/php-cgi

Change allow_file_group_writeable=false to allow_file_group_writeable=true

Optional:
Change allow_directory_group_writeable=false to allow_directory_group_writeable=true
In /etc/httpd/conf.d/suphp.conf

Comment out the following 2 lines:

AddHandler x-httpd-php .php

AddHandler x-httpd-php .php .php4 .php3 .phtml


so they will look like:

#AddHandler x-httpd-php .php

#AddHandler x-httpd-php .php .php4 .php3 .phtml


Uncomment:
suPHP_AddHandler x-httpd-php
# (Remove the hash mark from the beginning of the line)




In your httpd.conf you need to add 2 lines to the virtualhost you want to enable suphp:
suPHP_Engine on

suPHP_UserGroup username group #This has to be a local user in the system who will be managing his docroot.

If you have a Joomla installation you have to chown (change ownersip) of the docroot to user:user and use the correct permissions:

chown -R user:user /path/to/joomladir
cd /path/to/joomladir
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

Be sure to restart apache.