Your IP: 54.224.162.138 

Running PHP scripts under user at suexec environment

Introduction

Default installation php as mod_php module is one the biggest security hole at webservers software.
Lets consider why. If you have php installed as mod_php then all php applications are run under common user 'nobody' or 'www' or 'apache'. It means if a user 'smith' has files located at his home directory, everyone else who has an account at the same server can read ( and modify ) his files using regular PHP-based filemanager.

For example, we have 2 users with their home directories:

/home/smith/www
/home/lora/www

And user 'smith' has a file '/home/smith/www/my_secure_data.txt' that he manages by his php software.

Since all php software under mod_php is run from common user 'nobody', this user 'nobody' should have read or/and write permissions for this file. But in this case user 'lora' can run a PHP filemanager, go to directory /home/smith/www/ and read/change 'my_secure_data.txt' file.

Unfortanly, many web hosting companies have this secure problem.

To avoid this problem apache provides 'suexec' technology to run users' software under their own system accounts. It means user 'smith' has 'my_secure_data.txt' chowned to 'smith' and it will work because his applications are run under 'smith' system account at suexec enviroment. Basically, suexec technology is provided for applications running as cgi scripts.

In this article we'll show how to enable php to run php scripts as cgi.

Apache installation

In first place we need to install suphp module for apache. This module runs php scripts under suexec+php-cgi enviroment. This package can be downloaded from http://suphp.org. Here's installation example:

  • tar -xzvf suphp-0.xx.xx.tgz
  • ./configure
  • --with-php=/usr/local/bin/php
  • --with-apxs=/usr/local/apache/bin/apxs
  • --with-apache-user=nobody
  • make
  • make install
  • ln -s /usr/local/sbin/suphp /usr/sbin/

Instead of 'nobody' you need to put username you run your apache under. Usually it's 'www', 'nobody' or 'apache'. In case of static linked apache we need to run make install. Next we need to configure apache and activate mod_suphp:

  • cd apache-xx.xx.xx
  • OPTIM="-D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=8196" \
    ./configure \
    "--enable-suexec" \
    "--suexec-docroot=/" \
    "--suexec-uidmin=100" \
    "--suexec-caller=nobody" \
    "--suexec-logfile=/var/log/httpd/suexec_log" \
    "--add-module=../suphp-0.xx.xx/src/apache/mod_suphp.c" \
    # another your own options
  • make
    make install
  • path_to_your_apache/bin/httpd -l

You should see next lines that will show suexec & suphp is enabled:

  • mod_suphp.c
  • suexec: enabled; valid wrapper /path_to_your_apache/bin/suexec

To enable suexec you need to specify username and group for particular domain, activate suPHP engine and set PHP handler for PHP scripts:

  • suPHP_Engine on
    AddHandler x-httpd-php .php .php4 .php3
  • # ip address
    user smith
    group smith
  • DocumentRoot /home/smith/www
    ScriptAlias /cgi-bin/ /home/smith/www/cgi-bin/
    # rest your options
  • options +ExecCGI

PHP installation

To compile php with cgi support you need to disable apache support while configuring.
  • ./configure \
  • --without-apache \
  • --enable-force-cgi-redirect \
  • --enable-fastcgi \
  • #another your own options

  • make
  • make install

To check you have configured and compiled PHP correctly run next command and you should see something like following:

  • /usr/local/bin/php -i | grep CGI
  • Server API : CGI/FastCGI

Testing installation

Put simple php script into ~/www directory and run it. If everything has been installed correctly, you should see some logs at /var/log/httpd/suphp_log