UnixServerAdmin

Server Administration & Management

Su-PHP

Securing a server is a challenging task as it has to be secured from outside and from inside a website. Vulnerable scripts or incorrect permissions can cause compromises from inside a server. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem. Apache has built-in features too, but the performance cost of  these features is prohibitive. This is where suPHP, created by Sebastian Marsching comes to the rescue.

Like Apache’s own suexec, suphp is a solution that allows PHP to run as the user and group that owns any particular website on a  server. Technically, suPHP is a tool for executing PHP scripts with the permissions of their owners.
It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the UID of the process executing the PHP interpreter.

Su-php consists of two components :-

* mod_suphp, an Apache module that replaces mod_php
* suphp, a setuid binary that replaces Apache’s suexec

Every time a PHP script is run, suphp has to fork Apache and then execute another copy of the PHP/CGI binary. This approach provides the absolute security benefits that we seek. It means that if a script contains a vulnerability, and got exploited, then only that particular user will be affected.

Su-PHP has the following advantages :-

* PHP runs as your user/group
* PHP files can have permissions of 640 (hiding things like passwords from other accounts)
* Files/folders written by PHP are written as user/group (no Apache or other global user)
* Custom php.ini file per site (can add/remove security options)

Note: Su-PHP does not allow permissions 666 and 777.

Some users make use of .htaccess files to set php configuration lines using php_flag var setting. Having a .htaccess file
use the php_flag directive will result in a 500 error be produced. PHP flags no longer work in the .htaccess file. If you
need to enable things such as register globals you can follow the below guide:

In .htaccess under public_html, add the following :-

======================================
suPHP_ConfigPath /home/user/public_html
order allow,deny
deny from all
======================================

Note: You must change user to your account username.

Create a php.ini file under public_html add any of the below settings that you need:-

=========================
register_globals = On
upload_max_filesize = 30M
post_max_size = 30M
memory_limit = 30M
upload_tmp_dir = 30M
max_execution_time = 180
=========================

Using a php.ini file may cause issues if your scripts use Zend Optomizer or IonCube encoding. You then just need to add the following to your php.ini file to resolve the issue:

Note: this may not be needed. Please test before using.

====================================================================
[Zend]
zend_extension=/usr/local/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.2.6
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.2.6
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so
====================================================================

For the PHP settings you do not have in your php.ini file, PHP will use our default configurations. It will not use the
server php.ini but rather a default one. You may need to set other settings. You may create a phpinfo.php file in public_html with the beginning and ending php tags and the following in between to see any changes by browsing it

Advertisements

March 27, 2011 - Posted by | Apache, htaccess, PHP | , , ,

1 Comment »

  1. I had been really searching for something on this subject matter and your blogging flawlessly fits my current desires. Will you please write much more along these lines? Visitors are looking for this knowledge as well as the kind of fair viewpoint which you bring to the table.

    Comment by filtered water | June 16, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: