Introduction
Default installation php as mod_php module is one the biggest security hole at webservers software.
Lets consider why.
If you have php installed as mod_php then all php applications are run under common user 'nobody' or 'www' or 'apache'.
It means if a user 'alex' has files located at his home directory, everyone else who has an account at the same server can read ( and modify )
his files using regular PHP-based filemanager.
For example, we have 2 users with their home directories:
/home/alex/www
/home/rob/www
And user 'alex' has a file '/home/alex/www/my_secure_data.txt' that he manages by his php software.
Since all php software under mod_php is run from common user 'nobody', this user 'nobody' should have read or/and write
permissions for this file.
But in this case user 'rob' can run a PHP filemanager, go to directory /home/alex/www/ and read/change 'my_secure_data.txt' file.
Unfortanly, many web hosting companies have this secure problem.
To avoid this problem apache provides 'suexec' technology to run users' software under their own system accounts.
It means user 'alex' has 'my_secure_data.txt' chowned to 'alex' and it will work because his applications are run
under 'alex' system account at suexec enviroment.
Basically, suexec technology is provided for applications running as cgi scripts.
In this article we'll show how
to enable php to run php scripts as cgi.
Apache installation
In first place we need to install suphp module for apache. This module runs php scripts under suexec+php-cgi enviroment.
This package can be downloaded from http://suphp.org. Here's installation example:
tar -xzvf suphp-0.xx.xx.tgz
./configure
--with-php=/usr/local/bin/php
--with-apxs=/usr/local/apache/bin/apxs
--with-apache-user=nobody
make
make install
ln -s /usr/local/sbin/suphp /usr/sbin/
Instead of 'nobody' you need to put username you run your apache under. Usually it's 'www', 'nobody' or 'apache'.
In case of static linked apache we need to run make install.
Next we need to configure apache and activate mod_suphp:
cd apache-xx.xx.xx
OPTIM="-D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=8196" \
./configure \
"--enable-suexec" \
"--suexec-docroot=/" \
"--suexec-uidmin=100" \
"--suexec-caller=nobody" \
"--suexec-logfile=/var/log/httpd/suexec_log" \
"--add-module=../suphp-0.xx.xx/src/apache/mod_suphp.c" \
# another your own options
make
make install
path_to_your_apache/bin/httpd -l
You should see next lines that will show suexec & suphp is enabled:
mod_suphp.c
suexec: enabled; valid wrapper /path_to_your_apache/bin/suexec
To enable suexec you need to specify username and group for particular domain, activate suPHP engine and
set PHP handler for PHP scripts:
suPHP_Engine on
AddHandler x-httpd-php .php .php4 .php3
# ip address
user alex
group alex
DocumentRoot /home/alex/www
ScriptAlias /cgi-bin/ /home/alex/www/cgi-bin/
# rest your options
options +ExecCGI
PHP installation
To compile php with cgi support you need to disable apache support while configuring.
./configure \
--without-apache \
--enable-force-cgi-redirect \
--enable-fastcgi \
#another your own options
make
make install
To check you have configured and compiled PHP correctly run next command and you should see something like following:
/usr/local/bin/php -i | grep CGI
Server API : CGI/FastCGI
Testing installation
Put simple php script into ~/www directory and run it. If everything has been installed correctly,
you should see some logs at /var/log/httpd/suphp_log
If you have any question, email us at support@smartcgi.com.
| 
Home
