Monday, November 23, 2009

What is suPHP

SkyHi @ Monday, November 23, 2009
* does necessary install suPHP on your server ?

It is not necessary to install SuPHP on the server, but it is considered to be a good thing to do.

* what does suPHP do exactly and if i install it on your server there is not any conflict for my users script?

It runs all PHP scripts as the user in whose account they reside – rather than running all scripts as user nobody. It also prevents scripts that have insecure permissions from running.

Most PHP scripts will run well within a SuPHP environment. However, some older not well-maintained scripts that rely on insecure permissions may experience issues in a SuPHP environment.

* how to install suPHP via WHM “if you have WHM installed in your server”?

It’s easy. Simply go to the WHM interface and in the Software section click Apache Update. Proceed through the build process until step 5, then select the checkbox for Mod SuPHP. Proceed to compile Apache via the WHM interface. When done, you will be prompted regarding how you wish to have PHP run – select SuPHP.

If you do not see this prompt, you can set this in WHM -> Service Configuration -> Configure PHP and SuExec. Note, in 11.24, this has been moved to WHM -> Service Configuration -> Apache Configuration -> PHP and SuExec Configuration.

* Differences between suPHP and “regular php”:

Regular PHP installation on a web server runs as the user nobody and it doesn’t require the execute flag to be enabled. The problem with regular PHP installation is that if mod_openbasedir is not installed, every user on the server will be able to read your php files because practically everyone shares the same username (nobody).

PHP Files are not meant to be read, but parsed, otherwise everyone who is able to read your php file will able to view settings that you would want to keep private, such as your MySQL username and password.

suPHP fixes this issue because it requires PHP scripts to be executed with the permissions of their owners. suPHP also fixes common file ownership issues that mostly occur with few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

* Can I use the php_value directives in .htaccess files with suPHP?

suPHP does not support the php_value/php_admin_value directive known by mod_php to parse configuration options to scripts for certain virtual hosts or directories. All the php_flags in your .htaccess will have to be moved to php.ini, which you will have to create in your public_html directory.

* Example:

.htaccess php_flag register_globals on

php.ini register_globals=on

You will have to move every command on .htaccess that starts with php_flag.
Sponsored Links:

* Troubleshooting Internal Server Errors (Error 500):

Whenever an internal server error occurs, the error will be added to the Error Log in cPanel. (cPanel Error Log). This will help you pin point the error. In most cases it will either be a permission error on a bad command in your .htaccess file (remember that all php values have to go to your php.ini file).

Directories that require writable permissions will no longer require 777 as permissions and suPHP will refuse to write or read on directories exposed with such permissions, make sure you chmod them to 755

Basically suPHP will refuse to serve any pages that are at security risk, for example with 777 as permissions. (will generate an Internal Server Error)

* All servers having SuPHP installed for added security
* The main features of SuPHP that you should be aware of is:

1. SuPHP does not allow files/folders to run where they have group and world write permissions; only the account owner can write to files/folders. This forces all users to ensure that their files/folders have correct permissions and prevents hackers uploading malicious content into vulnerable folders.
2. SuPHP allows all PHP scripts to be run under the user account ownership, instead of running under the “nobody” user. This is particurly helpful in tracking down scripts which send out SPAM as the “nobody” user.

Most user accounts will not notice any difference. However a number of user accounts will have some problems/errors which can be easily resolved using this command in terminal “if you dont have root access try to ask your System Administrator”

for files:
find . -name *.php -type f -exec chmod 644 {} \;
find . -type f -exec chmod 644 {} \;
for folders:
find . -type d -exec chmod 755 {} \;

What is suPHP?
Solution suPHP is a tool for executing PHP scripts with the permissions of their owners. There are some significant improvments in suPHP such as:-

    * HTTP based authentication auth works via php
    * symbolic links to php files also work
    * permissions of public_html does not need to be changed for using shared SSL with php5
    * Custom error pages will work with both php4 and php5

suPHP brings a new level of security to the way php is used.

1) php scripts execute using the permissions of userid of the account holder instead of user "nobody"

2) world writable folders (chmod 777) is not required for file uploads through php

3) The php file need to have ownership of the user to execute in the user account (by default it is).

4) php file (script) does not need 755 permissions. 644 is fine. In fact 400 or 600 is ok too (especially good for sensitive information).

5) php_flag or php_value can NOT be used in .htaccess files (It will result in Internal Server Error).

6) The php flags that do not work in .htaccess can be moved to php.ini file in the same folder where php script exists. However, the php flag/value will be in the format of php.ini and not that of .htaccess. For example this from .htaccess

php_flag register_globals off --> will go into php.ini as: --> register_globals off

If php.ini exists in the folder where the php scripts exists, it will take all values from it and nothing will be taken from main php.ini.

7) If the folder that contains a php file/script is world writable (chmod 777), it will result in Internal Server Error. This is similar to cgi/perl scripts under suexec that do not like such permissions for security reason. The normal folder permissions should be 755.