Introduction
Default installation php as mod_php module is one the biggest security hole at webservers software.
Lets consider why. If you have php installed as mod_php then all php applications are run under common user 'nobody' or 'www' or 'apache'. It means if a user 'alex' has files located at his home directory, everyone else who has an account at the same server can read ( and modify ) his files using regular PHP-based filemanager.
For example, we have 2 users with their home directories:
/home/alex/wwwAnd user 'alex' has a file '/home/alex/www/my_secure_data.txt' that he manages by his php software.
/home/rob/www
Since all php software under mod_php is run from common user 'nobody', this user 'nobody' should have read or/and write permissions for this file. But in this case user 'rob' can run a PHP filemanager, go to directory /home/alex/www/ and read/change 'my_secure_data.txt' file.
Unfortanly, many web hosting companies have this secure problem.
To avoid this problem apache provides 'suexec' technology to run users' software under their own system accounts. It means user 'alex' has 'my_secure_data.txt' chowned to 'alex' and it will work because his applications are run under 'alex' system account at suexec enviroment. Basically, suexec technology is provided for applications running as cgi scripts.
In this article we'll show how to enable php to run php scripts as cgi.make# ip address
Apache installation
In first place we need to install suphp module for apache. This module runs php scripts under suexec+php-cgi enviroment. This package can be downloaded from http://suphp.org. Here's installation example:
tar -xzvf suphp-0.xx.xx.tgzInstead of 'nobody' you need to put username you run your apache under. Usually it's 'www', 'nobody' or 'apache'. In case of static linked apache we need to run make install. Next we need to configure apache and activate mod_suphp:
./configure
--with-php=/usr/local/bin/php
--with-apxs=/usr/local/apache/bin/apxs
--with-apache-user=nobody
make
make install
ln -s /usr/local/sbin/suphp /usr/sbin/
cd apache-xx.xx.xx
OPTIM="-D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=8196" \
./configure \
"--enable-suexec" \
"--suexec-docroot=/" \
"--suexec-uidmin=100" \
"--suexec-caller=nobody" \
"--suexec-logfile=/var/log/httpd/suexec_log" \
"--add-module=../suphp-0.xx.xx/src/apache/mod_suphp.c" \
# another your own options
make
make install
path_to_your_apache/bin/httpd -l
You should see next lines that will show suexec & suphp is enabled:
mod_suphp.cTo enable suexec you need to specify username and group for particular domain, activate suPHP engine and set PHP handler for PHP scripts:
suexec: enabled; valid wrapper /path_to_your_apache/bin/suexec
suPHP_Engine on
AddHandler x-httpd-php .php .php4 .php3
user alex
group alex
DocumentRoot /home/alex/www
ScriptAlias /cgi-bin/ /home/alex/www/cgi-bin/
# rest your options
options +ExecCGI
PHP installation
To compile php with cgi support you need to disable apache support while configuring.
./configure \To check you have configured and compiled PHP correctly run next command and you should see something like following:
--without-apache \
--enable-force-cgi-redirect \
--enable-fastcgi \
#another your own options
make
make install
/usr/local/bin/php -i | grep CGITesting installation
Server API : CGI/FastCGI
Put simple php script into ~/www directory and run it. If everything has been installed correctly, you should see some logs at /var/log/httpd/suphp_log
