Distributions, Security

Installation of suPHP using Apache2 & PHP5

suPHP is a nice tool for executing PHP scripts with the permissions of their owners. It’s comparable to suexec (which is for perl scripts). When using this tool, you don’t need SafeMode any longer, etc…

Tested on: SuSE 10.0, openSuSE 10.1
Prerequisites: php5-fastcgi, autoconf, gcc

in openSuSE 10.1, I had to (soft)link some files:
ln -s /usr/include/apr-1/* /usr/include/apache2

configure in openSuSE 10.1:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \
--with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \
--with-min-gid=30 --with-apache-user=wwwrun \
--with-apr=/usr/bin/apr-1-config --with-setid-mode=owner \
--prefix=/usr --sysconfdir=/etc

configure in SuSE 10.0:
./configure --with-apxs=/usr/sbin/apxs2 --with-php=/usr/bin/php5 \
--with-logfile=/var/log/apache2/suphp.log --with-min-uid=30 \
--with-min -gid=30 --with-apache-user=wwwrun \
--with-apr=/usr/bin/apr-config --with-setid-mode=owner \
--prefix=/usr --sysconfdir=/etc

After that, usual way:
make; make install

Check your configuration at /etc/suphp.conf. For me, it looks someway like this:
[global]
logfile=/var/log/apache2/suphp.log
loglevel=info
webserver_user=wwwrun
docroot=/srv/www/htdocs
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
check_vhost_docroot=false
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0022
min_uid=30
min_gid=30
;
[handlers]
;Handler for php-scripts
x-httpd-php=php:/srv/www/cgi-bin/php5
;Handler for CGI-scripts
x-suphp-cgi=execute:!self

Add suPHP module to your apache config (/etc/sysconfig/apache2):
APACHE_MODULES="access .... php5 suphp"

Create a new file to tell apache to use suPHP:
/etc/apache2/httpd.conf.local
<Directory "/srv/www/htdocs">
php_admin_value engine off
suPHP_Engine on
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
</Directory>

Include that in your apache configuration (/etc/sysconfig/apache2):
APACHE_CONF_INCLUDE_FILES="httpd.conf.local"

After restarting apache, it should be done ; )