Command Center

What is suPHP is:
On most Apache servers, PHP runs as an Apache module. This is the default method of installation. Many hosts have this setup because it is default and potentially they do not realize that it is also possible to configure PHP as a CGI. Running PHP as a CGI can be more secure whilst also avoiding file and directory ownership issues.
suPHP provides the facility to have all scripts running the relevant user account instead of under the Web Servers account. This facility allows the server Administrators to isolate and manage malicious or runaway script usage very quickly, avoiding unwanted or un-authorized scripts from running for a lengthy period of time.

What does suPHP Do?
777 Permissions
With non- suPHP configurations, PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody", "httpd" or "apache". Under this mode, files or directories that you require your php scripts to be able to write to need 777 permissions (read/write/execute at user/group/world level). This is not very secure because it allows the webserver to write to the file, it also allows anyone else to read or write to the file.
Under suPHP configurations, PHP running as a CGI with "suexec" enabled (su = switch user, allowing one user to "switch" to another if authorized) - Your php scripts now execute under your own user/group level. Files or directories that you require your php scripts to be able to write to no longer need to have 777 permissions. In fact, 777 permissions are no longer allowed, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a "500 internal server error" when attempting to execute them, this is done to protect you from someone abusing your scripts. Your scripts and directories can now, only have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else).

My script requires 777
So what about php scripts that say they require 777 permissions on some of their directory or files to work, such as a Joomla!, Forums, photo galleries and alike? Due to the transparent nature of suPHP this is solved very simply, any directories stated as requiring to be "writable" or "777" can safely be set to 755 (the maximum) instead. This is because, now that the web server runs under your own user account, only your own user account needs full write and execute permissions.

Goodbye ".htaccess" and Welcome ".ini"
Under the old Apache Module mode it was possible to manipulate the PHP settings from within a ".htaccess" file placed in the script's top-level directory, this was also recursively applied to all other directories below it.
For example you could turn on the php setting "magic_quotes_gpc" with this line in .htaccess:
php_value magic_quotes_gpc on
Now, when PHP is running as a CGI and suPHP protected, manipulating the PHP settings is still possible however you can no longer make use of a ".htaccess" file. Using .htaccess with the required PHP prefix of "php_value" will cause a "500 internal server error" when attempting to access the scripts. This is due to php no longer running as an Apache module, thus Apache is unable to handle those directives any longer.

What is a php.ini file?
The php.ini file is a configuration file that the server looks at to see what PHP options have been made available to the server or what their setting are, if different from the server's default php.ini. While the name may seem advanced to those unfamiliar with it, it is in essence a simple text file with the name php.ini

How to create a php.ini file
To create a php.ini file, just open up a text editor, add in the lines you need and save the file. You can name the file whatever you wish when saving, to ensure the correct FTP transfer mode is used, you might wish to name it "php.ini.txt". Once you have configured all your settings, upload the file to the directory where your script is located and then rename it back to php.ini
For example you can turn on the php setting "magic_quotes_gpc" with this line in php.ini:
magic_quotes_gpc = on
In many cases, you might need to have multiple copies of the same php.ini file in different directories, unlike .htaccess files, php.ini files are not applied recursively to lower directories. If you need the same functionality across all lower directries also, you will then need to copy the php.ini file each directory in turn that will have .php scripts running from within them.

MIMETypes:
If you added a Mimetype to the system in order to run html files as php scripts (AddType as .htaccess command), you will have to remove it and add an ApacheHandler instead. This is easy to do though. Just log into your control panel, then click on Apache Handlers and add the following:

Extension: html (or htm)
Handler: application/x-httpd-php

Protecting your php.ini file:
To protect your php.ini you should set its permissions to 600. Additionally you can add the following line to your .htaccess file:


Order deny,allow
Deny from All


Troubleshooting, something went wrong
My php script doesn't work or I have an error message.
1. Check that the php script that you are attempting to execute has permissions of no more than 755 - 644 will work just fine normally, this is not something that will need to be changed in most cases.
2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to also.
3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script.
The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.

Written By Adam Adamou

The suPHP Apache module together with suPHP itself provides an easy way to run PHP scripts with different users on the same server. It provides security, because the PHP scripts are not run with the rights of the webserver's user. In addition to that you probably won't have to use PHP's "safe mode", which applies many restrictions on the scripts.

For example, if you have a Joomla installation it is not necessary to enable the unsecure ftp layer or give 777 permissions in directories to install components/modules. This suPHP RPM package is using paranoid mode so you can use suphp per-virtualhost and assign per-user permissions.

Note: suPHP should only be used if you are using no CGI scripts or if all CGI scripts are run using suExec.


wget ftp://ftp.pbone.net/mirror/ftp.freshrpms.net/pub/freshrpms/pub/dag/redhat/el5/en/x86_64/dag/RPMS/mod_suphp-0.7.0-1.el5.rf.x86_64.rpm

For i386 the location is: ftp://ftp.pbone.net/mirror/ftp.freshrpms.net/pub/freshrpms/pub/dag/redhat/el5/en/i386/dag/RPMS/mod_suphp-0.7.0-1.el5.rf.i386.rpm

rpm -Uvh mod_suphp-0.7.0-1.el5.rf.x86_64.rpm

Do the following changes in the 2 suPHP configuration files:

In /etc/suphp.conf

Change loglevel=info
to loglevel=warn #Otherwise it will flood the suphp log file
Change umask=0077
to umask=0022
Change x-httpd-php=php:/usr/bin/php to x-httpd-php=php:/usr/bin/php-cgi

Change allow_file_group_writeable=false to allow_file_group_writeable=true

Optional:
Change allow_directory_group_writeable=false to allow_directory_group_writeable=true
In /etc/httpd/conf.d/suphp.conf

Comment out the following 2 lines:

AddHandler x-httpd-php .php

AddHandler x-httpd-php .php .php4 .php3 .phtml


so they will look like:

#AddHandler x-httpd-php .php

#AddHandler x-httpd-php .php .php4 .php3 .phtml


Uncomment:
suPHP_AddHandler x-httpd-php
# (Remove the hash mark from the beginning of the line)




In your httpd.conf you need to add 2 lines to the virtualhost you want to enable suphp:
suPHP_Engine on

suPHP_UserGroup username group #This has to be a local user in the system who will be managing his docroot.

If you have a Joomla installation you have to chown (change ownersip) of the docroot to user:user and use the correct permissions:

chown -R user:user /path/to/joomladir
cd /path/to/joomladir
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

Be sure to restart apache.

* does necessary install suPHP on your server ?

It is not necessary to install SuPHP on the server, but it is considered to be a good thing to do.

* what does suPHP do exactly and if i install it on your server there is not any conflict for my users script?

It runs all PHP scripts as the user in whose account they reside – rather than running all scripts as user nobody. It also prevents scripts that have insecure permissions from running.

Most PHP scripts will run well within a SuPHP environment. However, some older not well-maintained scripts that rely on insecure permissions may experience issues in a SuPHP environment.

* how to install suPHP via WHM “if you have WHM installed in your server”?

It’s easy. Simply go to the WHM interface and in the Software section click Apache Update. Proceed through the build process until step 5, then select the checkbox for Mod SuPHP. Proceed to compile Apache via the WHM interface. When done, you will be prompted regarding how you wish to have PHP run – select SuPHP.

If you do not see this prompt, you can set this in WHM -> Service Configuration -> Configure PHP and SuExec. Note, in 11.24, this has been moved to WHM -> Service Configuration -> Apache Configuration -> PHP and SuExec Configuration.

* Differences between suPHP and “regular php”:

Regular PHP installation on a web server runs as the user nobody and it doesn’t require the execute flag to be enabled. The problem with regular PHP installation is that if mod_openbasedir is not installed, every user on the server will be able to read your php files because practically everyone shares the same username (nobody).

PHP Files are not meant to be read, but parsed, otherwise everyone who is able to read your php file will able to view settings that you would want to keep private, such as your MySQL username and password.

suPHP fixes this issue because it requires PHP scripts to be executed with the permissions of their owners. suPHP also fixes common file ownership issues that mostly occur with few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

* Can I use the php_value directives in .htaccess files with suPHP?

suPHP does not support the php_value/php_admin_value directive known by mod_php to parse configuration options to scripts for certain virtual hosts or directories. All the php_flags in your .htaccess will have to be moved to php.ini, which you will have to create in your public_html directory.

* Example:

.htaccess php_flag register_globals on

php.ini register_globals=on

You will have to move every command on .htaccess that starts with php_flag.
Sponsored Links:

* Troubleshooting Internal Server Errors (Error 500):

Whenever an internal server error occurs, the error will be added to the Error Log in cPanel. (cPanel Error Log). This will help you pin point the error. In most cases it will either be a permission error on a bad command in your .htaccess file (remember that all php values have to go to your php.ini file).

Directories that require writable permissions will no longer require 777 as permissions and suPHP will refuse to write or read on directories exposed with such permissions, make sure you chmod them to 755

Basically suPHP will refuse to serve any pages that are at security risk, for example with 777 as permissions. (will generate an Internal Server Error)

* All servers having SuPHP installed for added security
* The main features of SuPHP that you should be aware of is:

1. SuPHP does not allow files/folders to run where they have group and world write permissions; only the account owner can write to files/folders. This forces all users to ensure that their files/folders have correct permissions and prevents hackers uploading malicious content into vulnerable folders.
2. SuPHP allows all PHP scripts to be run under the user account ownership, instead of running under the “nobody” user. This is particurly helpful in tracking down scripts which send out SPAM as the “nobody” user.

Most user accounts will not notice any difference. However a number of user accounts will have some problems/errors which can be easily resolved using this command in terminal “if you dont have root access try to ask your System Administrator”


for files:
find . -name *.php -type f -exec chmod 644 {} \;
or
find . -type f -exec chmod 644 {} \;
and
for folders:
find . -type d -exec chmod 755 {} \;


==================================================================
What is suPHP?

Solution

suPHP is a tool for executing PHP scripts with the permissions of their owners. There are some significant improvments in suPHP such as:-

    * HTTP based authentication auth works via php
    * symbolic links to php files also work
    * permissions of public_html does not need to be changed for using shared SSL with php5
    * Custom error pages will work with both php4 and php5

suPHP brings a new level of security to the way php is used.

1) php scripts execute using the permissions of userid of the account holder instead of user "nobody"

2) world writable folders (chmod 777) is not required for file uploads through php

3) The php file need to have ownership of the user to execute in the user account (by default it is).

4) php file (script) does not need 755 permissions. 644 is fine. In fact 400 or 600 is ok too (especially good for sensitive information).

5) php_flag or php_value can NOT be used in .htaccess files (It will result in Internal Server Error).

6) The php flags that do not work in .htaccess can be moved to php.ini file in the same folder where php script exists. However, the php flag/value will be in the format of php.ini and not that of .htaccess. For example this from .htaccess

php_flag register_globals off --> will go into php.ini as: --> register_globals off

If php.ini exists in the folder where the php scripts exists, it will take all values from it and nothing will be taken from main php.ini.

7) If the folder that contains a php file/script is world writable (chmod 777), it will result in Internal Server Error. This is similar to cgi/perl scripts under suexec that do not like such permissions for security reason. The normal folder permissions should be 755.

REFERENCES
http://help.secure-webhosting.com/esup2/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=398

Creating secure websites with PHP requires attention to detail and some understanding of the possible risks. SUPHP is one tool to make it easier for Web developers on ITC-managed systems to secure their sites.

For PHP applications to access MySQL databases or upload (write) files to site folder(s), the file and/or directory access permissions almost always need to be set open enough for the application to do its work. Unfortunately, this also allows any user with access to the Web server to read and/or modify files. Website vandals take advantage of this exploit to modify both the user's own website and other sites on the same server.

With SUPHP, the file permissions can then be set so that only the user can read the file, and the SUPHP page can write in any location where the owner can write.

Note: If you need a generalized CGI solution for your web pages please see our SUCGI page.
Get Started with SUPHP

1. Replace the .php file extension with the .suphp extension.
2. Make sure the file owner id matches your computing ID.
3. Set file permission(s) to allow read access only by you (e.g., chmod 600 filename.suphp).

Note: If you're using a package downloaded from the Internet, you will need to analyze the files provided. Rename files as mentioned above, and then go through all of the remaining code to replace references to filename.php with references to filename.suphp.

If renaming with .suphp file extension is not possible, you can modify the way the Web server handles all files in your directory with the .php file extension by adding the following to an .htaccess file in the directory:

AddHandler su-php-script .php

The other requirements of SUPHP still apply. Note that using this means that all PHP programs anywhere under this directory will now run as CGI through the SUPHP interface.
Requirements

* The PHP script must be valid PHP 5. The suphp module runs PHP 5 rather than the standard PHP on the server (on most ITC maintained machines the standard PHP is version 4).
* The PHP file must have the .suphp extension unless using the AddHandler directive described above.
* The file must be saved in the standard Web server document areas: /www/doc/, /www/doc_ssl/, the user's public_html directory, or sub-directories within these locations.
* The reference cannot be made via a symbolic link to the file.
* The file must have owner permission to read set (e.g., chmod u+r filename.suphp or chmod 400 filename.suphp).
* The file can allow writing by the owner and the owner's group subject to limitations below.
* The directory containing the file can be writeable by the owner and the group, but not by any other users.
* The file itself and the directory it is in must have matching user and group ownership. (when access by the Web server the file will be run using the user and group ownership of the file).
* The file must not have UNIX file permissions set to force the user id or group id when run.

The user id and group id of the files and directories need to meet additional restrictions:

* The user id must be a member of the group id used.
* The user id cannot be in the list of administrative ids (those which have a numerical version of the id less than 500).
* The group id cannot be in the list of administrative groups (those with have a numerical version of the id less than 100.
* The id command on blue.unix will give you the numeric versions of your [owner] ID and the numeric ids for groups to which you belong.

Managing Access Permissions and Ownership

* Permissions (read/write/execute) can be changed from the Home Directory Administrative Interface.
* User ownership can only be changed by the system administrator or by removing files and having the correct owner create them.
* Group ownership can be changed with the chgrp command when logged into UNIX server (blue.unix.virginia.edu for the majority of websites on Grounds).
* If your standard UNIX group is usr (which is common for many users), you will need to create a new group with MyGroups. Add yourself as a member to that group.

Moving PHP Configuration out of .htaccess Files

SUPHP does not see PHP configurations in .htaccess files, such as php_flag or php_value. You need to move these into the PHP script itself, using the PHP ini_set() function. For example,

* change php_flag register_globals On in .htaccess to ini_set("register_globals", "On"); in your PHP script.
* change php_value include_path "dir1:dir2" in .htaccess to ini_set("include_path", "dir1:dir2"); in your PHP script.

Using SUPHP with NetBadge Authentication

If your SUPHP script is authenticated by NetBadge, then the user will be required to login, but your SUPHP script will not receive the user name in $_SERVER['REMOTE_USER']. This happens because your script is run with unauthenticated SUPHP, which is the default. To fix this problem, you must put these lines in your .htaccess file to use NetBadge authenticated SUPHP.

Action su-php-script /server-cgi/netbadge/suphp
PubcookieAppId sunetbadge

Just another question: Do I need PHP-Suhosin if I have mod_security already installed on my dedicated server? And what is the difference between Apache-Suexec and suphp or php-suexec, make sense to have both installed and in use? Because I have some strange problems with my website, sometimes my site is unreachable for me but if I disconnect and re-connect(change IP) the site is on. There is no server load issues or etc. I had been banned but I dont know who banned me, if mod_sec or apf or suhosin or any other tool.

uEXEC is an Apache module let users to run CGI/SSI programs under user IDs. It is good to track logs to find security problems.

Suhosin is a good guard for php to protect your website or webserver against attacks like sql-injection or remote-file-injection etc.

ModSecurity™ is a firewall-like apache module which protects your webserver against known and some unknown attacks like brute-force data-inclusion etc

suphp or phpsuexec is similar to suexec, let scripts run with user rights also not as nobody. Good to monitor user actions on a webhosting to find spammers etc... Attention!: do not forget to configure your httpd.conf to add suPHP_AddHandler directive, otherwise your php scripts wont work.

www.suphp.org
http://httpd.apache.org/docs/2.0/suexec.html
www.hardened-php.net/suhosin
www.modsecurity.org

* reply

Many of you may be aware that SharkSpace is now implementing suPHP on shared hosting servers, which was announced here recently. Through this blog, we will try to explain to you what suPHP is about and how it is beneficial for everyone.



Securing a shared hosting server is a challenging task as it has to be secured from outside and from inside a website. Vulnerable scripts or incorrect permissions can cause compromises from inside a server. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem. Apache has built-in features too, but the performance cost of these features is prohibitive. This is where suPHP, created by Sebastian Marsching comes to the rescue.



Like Apache’s own suexec, suphp is a solution that allows PHP to run as the user and group that owns any particular website on a shared hosting server. Technically, suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the UID of the process executing the PHP interpreter.



suphp consists of two components:



* mod_suphp, an Apache module that replaces mod_php
* suphp, a setuid binary that replaces Apache’s suexec



Every time a PHP script is run, suphp has to fork Apache and then execute another copy of the PHP/CGI binary. This approach provides the absolute security benefits that we seek. It means that if a script contains a vulnerability, and got exploited, then only that particular user will be affected.



suPHP has the following advantages:



* PHP runs as your user/group
* PHP files can have permissions of 640 (hiding things like passwords from other accounts)
* Files/folders written by PHP are written as user/group (no Apache or other global user)
* Custom php.ini file per site (can add/remove security options)



Please note that suPHP does not allow permissions 666 and 777.



Some users make use of .htaccess files to set php configuration lines using php_flag var setting. Having a .htaccess file use the php_flag directive will result in a 500 error be produced. PHP flags no longer work in the .htaccess file. If you need to enable things such as register globals you can follow the below guide:



In .htaccess under public_html, add the following:



suPHP_ConfigPath /home/user/public_html

order allow,deny
deny from all


Note: You must change user to your account username.



Create a php.ini file under public_html add any of the below settings that you need:



register_globals = On
upload_max_filesize = 30M
post_max_size = 30M
memory_limit = 30M
upload_tmp_dir = 30M
max_execution_time = 180



Using a php.ini file may cause issues if your scripts use Zend Optomizer or IonCube encoding. You then just need to add the following to your php.ini file to resolve the issue:



Note: this may not be needed. Please test before using.



[Zend]
zend_extension=/usr/local/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.2.6
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.2.6
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so



For the PHP settings you do not have in your php.ini file, PHP will use our default configurations. It will not use the server php.ini but rather a default one. You may need to set other settings. You may create a phpinfo.php file in public_html with the beginning and ending php tags and the following in between to see any changes by browsing it:



phpinfo();

1. http://cbl.abuseat.org/lookup.cgi
2. http://www.spamhaus.org/lookup.lasso
3. http://www.us.sorbs.net/lookup.shtml
4. http://www.spamcop.net/bl.shtml