Saturday, May 29, 2010

Installing suPHP on Centos 5

SkyHi @ Saturday, May 29, 2010
suPHP is a tool that allows PHP scripts to be executed with the permissions of their owners. By not running PHP script using web server’s user rights, suPHP increase the server security.

First install httpd-devel and compiler tools:

yum install httpd-devel gcc gcc-c++ make

Download suPHP source code and extract it

wget http://www.suphp.org/download/suphp-0.7.1.tar.gz
tar -xvzf suphp-0.7.1.tar.gz
cd suphp-0.7.1

Now we compile suPHP

./configure --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-logfile=/var/log/httpd/suphp_log --with-setid-mode=paranoid --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-php=/usr/bin/php-cgi --enable-SUPHP_USE_USERGROUP=yes

make
make install

Next create suphp.conf to configure Apache so it will call suPHP for interpreting PHP scripts

nano /etc/httpd/conf.d/suphp.conf

Add this configuration:

LoadModule suphp_module modules/mod_suphp.so
suPHP_Engine on
AddType application/x-httpd-php .php
<Directory />
suPHP_AddHandler application/x-httpd-php
</Directory>

Save the file and the next step is to disable mod_php configuration as we are now using suPHP

mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.disabled

After we finished with Apache configuration, next we create suphp.conf file which contain suPHP configuration

nano /etc/suphp.conf

and copy this to the new file:

[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=/var/www:${HOME}/public_html

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=0

; Minimum GID

After Apache and suPHP is configured, we need to add suPHP_UserGroup option on each virtual hosting we hosted on the server. For example, the domain.com virtual host would look like:

<VirtualHost 192.168.0.1:80>
DocumentRoot /home/user/public_html
<Directory "/home/user/public_html">
allow from all
Options +Indexes
</Directory>
ServerName domain.com
ErrorLog /var/log/httpd/domain.com
LogLevel warn
suPHP_UserGroup user user
</VirtualHost>

"user" should be replaced with the real username on your server who own the PHP scripts. Make sure all file owned by the "user" username otherwise you’ll get 500 error code (Internal Server Error).

Now let's test the configuration

service httpd configtest

if everything is OK, restart the Apache server

service httpd restart

Bookmark and Share
Related Article
http://markus.revti.com/2010/03/installing-suphp-on-centos-5/