The latestet release of suPHP (v.0.6.3) has been published on Mar 30th, 2008.
It’s a security fix release eliminating two symlink race-conditions.
Users are strongly advised to update immediately.
After installing suPHP a few days ago, I had the first problem with a xt:Commerce installation. That’s what happened on a SuSE 10.0 system:
When trying to access the pages, it stayed blank and there were some wierd errors in the apache logfile:
[Mon Apr 02 16:44:48 2007] [error] [client x.x.x.x] PHP Fatal error: %v%v() [<a href='function.require'>function.require</a>]: Failed opening required 'DIR_WS_INCLUDESfilenames.php' (include_path='/usr/share/php5') in /path/to/user/html/includes/application_top.php on line 57
Reason was found quite quick:
The include path only had the default path and didn’t include the webroots any longer : (
Solution: change config in /etc/php5/cli/php.ini .
From:
include_path = "/usr/share/php5"
To:
include_path = ".:/usr/share/php5"
. = Homedir of webroot
: = next path
suPHP is a nice tool for executing PHP scripts with the permissions of their owners. It’s comparable to suexec (which is for perl scripts). When using this tool, you don’t need SafeMode any longer, etc…
Tested on: SuSE 10.0, openSuSE 10.1
Prerequisites: php5-fastcgi, autoconf, gcc
in openSuSE 10.1, I had to (soft)link some files:
ln -s /usr/include/apr-1/* /usr/include/apache2
configure in openSuSE 10.1:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \
--with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \
--with-min-gid=30 --with-apache-user=wwwrun \
--with-apr=/usr/bin/apr-1-config --with-setid-mode=owner \
--prefix=/usr --sysconfdir=/etc
configure in SuSE 10.0:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \
--with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \
--with-min -gid=30 --with-apache-user=wwwrun \
--with-apr=/usr/bin/apr-config --with-setid-mode=owner \
--prefix=/usr --sysconfdir=/etc
After that, usual way:
make; make install
Check your configuration at /etc/suphp.conf. For me, it looks someway like this:
[global]
logfile=/var/log/apache2/suphp.log
loglevel=info
webserver_user=wwwrun
docroot=/srv/www/htdocs
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
check_vhost_docroot=false
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0022
min_uid=30
min_gid=30
;
[handlers]
;Handler for php-scripts
x-httpd-php=php:/srv/www/cgi-bin/php5
;Handler for CGI-scripts
x-suphp-cgi=execute:!self
Add suPHP module to your apache config (/etc/sysconfig/apache2):
APACHE_MODULES="access .... php5 suphp"
Create a new file to tell apache to use suPHP:
/etc/apache2/httpd.conf.local
<Directory "/srv/www/htdocs">
php_admin_value engine off
suPHP_Engine on
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
</Directory>
Include that in your apache configuration (/etc/sysconfig/apache2):
APACHE_CONF_INCLUDE_FILES="httpd.conf.local"
After restarting apache, it should be done ; )