Home Server Security SuPHP, a brief Intro
Server Security

SuPHP, a brief Intro

by SupportPRO Admin
written by SupportPRO Admin

suPHP

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

Main Features of SuPHP

suPHP provides an additional layer of protection on servers. It causes php scripts to run under the account username instead of the user nobody which is the user that apache/php would run under on a server that is not running suPHP.

This feature allows us to more easily track any potential security breaches that come in via insecure php script(s) that a user is running.

suPHP also does away with the requirement of using 777 permissions on directories/files that need write permission. In fact if a directory and/or file has the permission set to (CHMOD) 777 and it is access via a browser, then an internal server error 500 will be generated. The highest level of permissions that a user can use on a suPHP enabled server is 755. This permission setting is sufficient enough for any directories/files that needs to be written to.

How to install suPHP on cPanel

Using EasyApache

There are two ways to launch the EasyApache program. The first one is through WHM and the other via shell.

Go to the WHM interface and in the Software section click Apache Update. Proceed through the build process until step 5, then select the checkbox for Mod SuPHP. Proceed to compile Apache via the WHM interface. When done, you will be prompted regarding how you wish to have PHP run select SuPHP.

If you do not see this prompt, you can set this in WHM -> Service Configuration -> Configure PHP and SuExec.Note, in 11.24, this has been moved to WHM -> Service Configuration -> Apache Configuration -> PHP and SuExec Configuration.

Via Shell

Log into the server as user root. Once logged in, run the easyapache script as such,

/scripts/easyapache

Proceed through the build process until step 5, then select the checkbox for Mod SuPHP. Proceed to compile Apache.

To formally enable suPHP run the following command

# /usr/local/cpanel/bin/rebuild_phpconf 5 none suphp 1

To verify that command has taken effect run the following command. The output should be like below:

# /usr/local/cpanel/bin/rebuild_phpconf currentAvailable handlers: suphp dso cgi noneDEFAULT PHP: 5PHP4 SAPI: nonePHP5 SAPI: suphpSUEXEC: enabled

Now restart apache for the settings to be in effect

/scripts/restartsrv_httpd

Verifying the configuration

Check the suPHP log file as thats where errors and warnings show up. The suPHP log file is located here:

/usr/local/apache/logs/suphp_log

Common Issues

Why do my scripts not work and why do I get an Premature end of script headers in the error_log?

You probably have installed the CLI version of PHP, but you need the CGI version. Copy the file /build/path/sapi/cgi/php to /where/ever/you/have/installed/bin/php to use the CGI version.

Troubleshooting Internal Server Error (Error 500)

Whenever an internal server error occurs, the error will be added to the Error Log in cPanel. (cPanel Error Log). This will help you pin point the error. In most cases it will either be a permission error on a bad command in your .htaccess file (remember that all php values have to go to your php.ini file).

You cannot manipulate the php.ini settings with .htaccess when running PHP as cgi/phpsuexec. If you are using .htaccess with php_value entries within it, you would receive an internal server 500 error when attempting to access the scripts. This is because PHP is no longer running as an Apache module and Apache will not handle those directives any longer. All PHP values should be removed from your .htaccess files to avoid this issue. Placing a php.ini file in its place will solve this issue.

Directories that require writable permissions will no longer require 777 as permissions and suPHP will refuse to write or read on directories exposed with such permissions, make sure you chmod them to 755

Basically suPHP will refuse to serve any pages that are at security risk, for example with 777 as permissions. (will generate an Internal Server Error)

Fix Permissions for Internal Server Error

Run the following commands from the users public_html directory:(MAKE SURE YOURE IN THE PUBLIC_HTML DIRECTORY)
find -type d -exec chmod 755 {} \;
find -type f -exec chmod 644 {} \;
find -iname *.pl -exec chmod 755 {} \; -o -iname *.cgi -exec chmod 755 {} \;
chown `pwd|cut -d/ -f3`.`pwd|cut -d/ -f3` -R .

Article Authored by Anoop M

Author, Anoop M, is a Systems Engineer with SupportPRO. Anoop specializes in L2 and Basic L3 Linux administration. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.

If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

Strengthening Server Hosting Compliance: ISO, GDPR, and Beyond

GCP Security : Expert-Approved Tactics to Protect Your...

Best Software Tools to Prevent Attacks on Servers...

Understanding SSH Port Forwarding: Your Complete Guide Explained

Common Server Issues and How to Troubleshoot Them

AWS Security – Dealing with Exposed AWS Access...

SupportPRO Achieves cPanel SafeAdmin Accreditation

Network configuration in Ubuntu 18.04 LTS using netplan

CVE-2017-5638: Apache Struts 2 Vulnerability

How to Fix Dirty Cow Vulnerability – CVE-2016-5195

Leave a Comment

CONTACT US

Sales and Support

Phone: 1-(847) 607-6123
Fax: 1-(847)-620-0626
Sales: sales@supportpro.com
Support: clients@supportpro.com
Skype ID: sales_supportpro

Postal Address

1020 Milwaukee Ave, #245,
Deerfield, IL-60015
USA

©2022  SupportPRO.com. All Rights Reserved

X-twitter Facebook Linkedin Rss