Your IP: 126.96.36.199
Running PHP scripts under user at suexec environment
Default installation php as mod_php module is one the biggest security hole at webservers software.
Lets consider why. If you have php installed as mod_php then all php applications are run under common user 'nobody' or 'www' or 'apache'. It means if a user 'smith' has files located at his home directory, everyone else who has an account at the same server can read ( and modify ) his files using regular PHP-based filemanager.
For example, we have 2 users with their home directories:
And user 'smith' has a file '/home/smith/www/my_secure_data.txt' that he manages by his php software.
Since all php software under mod_php is run from common user 'nobody', this user 'nobody' should have read or/and write permissions for this file. But in this case user 'lora' can run a PHP filemanager, go to directory /home/smith/www/ and read/change 'my_secure_data.txt' file.
Unfortanly, many web hosting companies have this secure problem.
To avoid this problem apache provides 'suexec' technology to run users' software under their own system accounts. It means user 'smith' has 'my_secure_data.txt' chowned to 'smith' and it will work because his applications are run under 'smith' system account at suexec enviroment. Basically, suexec technology is provided for applications running as cgi scripts.
In this article we'll show how to enable php to run php scripts as cgi.
In first place we need to install suphp module for apache. This module runs php scripts under suexec+php-cgi enviroment. This package can be downloaded from http://suphp.org. Here's installation example:
- tar -xzvf suphp-0.xx.xx.tgz
- make install
- ln -s /usr/local/sbin/suphp /usr/sbin/
Instead of 'nobody' you need to put username you run your apache under. Usually it's 'www', 'nobody' or 'apache'. In case of static linked apache we need to run make install. Next we need to configure apache and activate mod_suphp:
- cd apache-xx.xx.xx
OPTIM="-D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=8196" \
# another your own options
You should see next lines that will show suexec & suphp is enabled:
- suexec: enabled; valid wrapper /path_to_your_apache/bin/suexec
To enable suexec you need to specify username and group for particular domain, activate suPHP engine and set PHP handler for PHP scripts:
- suPHP_Engine on
AddHandler x-httpd-php .php .php4 .php3
# ip address
ScriptAlias /cgi-bin/ /home/smith/www/cgi-bin/
# rest your options
- options +ExecCGI
PHP installationTo compile php with cgi support you need to disable apache support while configuring.
- ./configure \
- --without-apache \
- --enable-force-cgi-redirect \
- --enable-fastcgi \
- #another your own options
- make install
To check you have configured and compiled PHP correctly run next command and you should see something like following:
- /usr/local/bin/php -i | grep CGI
- Server API : CGI/FastCGI
Put simple php script into ~/www directory and run it. If everything has been installed correctly, you should see some logs at /var/log/httpd/suphp_log