tom's blog » suPHP

suPHP 0.6.3 released / security fix

tom — Fri, 11 Apr 2008 16:17:13 +0000

The latestet release of suPHP (v.0.6.3) has been published on Mar 30th, 2008.

It’s a security fix release eliminating two symlink race-conditions.
Users are strongly advised to update immediately.

xt:Commerce & suPHP

tom — Mon, 02 Apr 2007 15:23:45 +0000

After installing suPHP a few days ago, I had the first problem with a xt:Commerce installation. That’s what happened on a SuSE 10.0 system:

When trying to access the pages, it stayed blank and there were some wierd errors in the apache logfile:
[Mon Apr 02 16:44:48 2007] [error] [client x.x.x.x] PHP Fatal error: %v%v() [function.require]: Failed opening required 'DIR_WS_INCLUDESfilenames.php' (include_path='/usr/share/php5') in /path/to/user/html/includes/application_top.php on line 57

Reason was found quite quick:
The include path only had the default path and didn’t include the webroots any longer : (

Solution: change config in /etc/php5/cli/php.ini .
From:
include_path = "/usr/share/php5"
To:
include_path = ".:/usr/share/php5"

. = Homedir of webroot
: = next path

Installation of suPHP using Apache2 & PHP5

tom — Sat, 31 Mar 2007 19:13:44 +0000

suPHP is a nice tool for executing PHP scripts with the permissions of their owners. It’s comparable to suexec (which is for perl scripts). When using this tool, you don’t need SafeMode any longer, etc…

Tested on: SuSE 10.0, openSuSE 10.1
Prerequisites: php5-fastcgi, autoconf, gcc

in openSuSE 10.1, I had to (soft)link some files:
ln -s /usr/include/apr-1/* /usr/include/apache2

configure in openSuSE 10.1:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \ --with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \ --with-min-gid=30 --with-apache-user=wwwrun \ --with-apr=/usr/bin/apr-1-config --with-setid-mode=owner \ --prefix=/usr --sysconfdir=/etc

configure in SuSE 10.0:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \ --with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \ --with-min -gid=30 --with-apache-user=wwwrun \ --with-apr=/usr/bin/apr-config --with-setid-mode=owner \ --prefix=/usr --sysconfdir=/etc

After that, usual way:
make; make install

Check your configuration at /etc/suphp.conf. For me, it looks someway like this:
[global] logfile=/var/log/apache2/suphp.log loglevel=info webserver_user=wwwrun docroot=/srv/www/htdocs allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=false allow_directory_others_writeable=false check_vhost_docroot=false errors_to_browser=false env_path=/bin:/usr/bin umask=0022 min_uid=30 min_gid=30 ; [handlers] ;Handler for php-scripts x-httpd-php=php:/srv/www/cgi-bin/php5 ;Handler for CGI-scripts x-suphp-cgi=execute:!self

Add suPHP module to your apache config (/etc/sysconfig/apache2):
APACHE_MODULES="access .... php5 suphp"

Create a new file to tell apache to use suPHP:
/etc/apache2/httpd.conf.local
php_admin_value engine off suPHP_Engine on AddHandler x-httpd-php .php .php3 .php4 .php5 suPHP_AddHandler x-httpd-php

Include that in your apache configuration (/etc/sysconfig/apache2):
APACHE_CONF_INCLUDE_FILES="httpd.conf.local"

After restarting apache, it should be done ; )