The article explains suPHP and setting up suPHP on cPanel servers.
Constant Phishing/Spamming complaints can get extremely tiresome, and tracking down the source of the problem is not always easy. It wont be long before your IP addresses are listed on popular RBLs and your customers start complaining about mail delivery problems. To nip these problems in the bud, we have to look for better ways to track down the source of these problems. One way of better tracking processes on a cPanel server is switching to suPHP.
On a server that is running PHP as a DSO module, all PHP pages/scripts are executed with the permissions of the same user as the Apache web server. Two commonly used users are “apache” and “nobody”. On a shared hosting server this is a problem because all accounts on the server will have their PHP scripts executed by this same user. So if a malicious file/script is uploaded to say, the “/tmp” folder in the server, it will be impossible to track down which account was used to upload this file. This is where suPHP can help.
“suPHP is very effective in tracking the processes that are running on the server. suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suPHP) that is called by the Apache module to change the uid of the process executing the PHP interpreter.” – suPHP.org
Once suPHP is enabled:
1. All the PHP scripts will run under the ownership of the user who owns the script.
2. The PHP scripts will be allowed a maximum of 644 permission.
3. PHP scripts will only work in folders that have a maximum of 755 permission.
With cPanel we can switch to suPHP in 8 simple steps. It is recommended to do this during off peak hours as it involves recompiling of Apache/PHP. This means the sites will be unavailable for some time, but not more than 30 minutes.
1. Data to be collected – Before the switch
a) Find the current PHP configuration on the server.
# /usr/local/cpanel/bin/rebuild_phpconf –current
b) Number of domains – This is to get an idea of the estimated time of completion. The more domains you have, the longer it will take for the switch to be completed.
c) Check the current PHP configuration to find modules currently enabled in PHP, so you will know if any of them are missing after the switch.
# php -i | grep configure
d) Apache version
#/usr/local/apache/bin/httpd -V
2. Run easyapache script – /scripts/easyapache
Enable mod_suphp.
After recompilation make sure that all required modules are enabled on the server.
3. Correct the permissions of all files/folders inside /home
Once suPHP is enabled, PHP scripts with permissions greater than 644 will throw a “500 Internal Server Error”, same is the case for any PHP script inside a folder with permissions greater than 755. So once suPHP has been enabled you must make sure that:
a)All PHP scripts have permissions of 644 and below.
b)All folders with PHP scripts should have permissions of 755 and below.
4. Remove PHP variables from .htaccess
When PHP is running as a DSO, PHP variables can be changed by using the “.htaccess” file. Once you switch to suPHP this is no longer applicable. All settings will have to changed using a php.ini file in the corresponding folder. Not only that, if you leave the values in the “.htaccess” file PHP will not work in those folders. So you must check each to make sure no PHP variables are set in them.
5. Change PHP handler to suPHP
This can be done via WHM at:
Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration
You can select which version of PHP you wish to run as suPHP. If you have both PHP4 and PHP5 on your server, it is recommended you set them both to suPHP, but you can chose various combinations of suPHP, DSO and CGI.
6. Copy /usr/local/lib/php.ini to individual domains.
Manually make necessary modifications to PHP variables in the php.ini of each domain. You can write a bash script to do this if you have many domains.
7. Set the suPHP_ConfigPath
To set this enter the following line in a “.htaccess” file:
suPHP_ConfigPath /home/username/public_html
Once this is set, the php.ini file in the folder /home/username/public_html will be effective for all sub folders too. So this will be useful if you have to make the PHP settings effective on all folders of the domain.
8. Check the Apache error logs
If there are still permission and ownership issues, you will see errors like ‘Premature script Headers”. Locate the file and correct its permissions, or the folder in which it is located.
Congratulations! Your server will now be running suPHP and all domain folders/files should have the correct permissions/ownership.
Recommendation:
An easy way to get alerts when a particular user is abusing server resources would be to install CSF. CSF can be configured to send alerts to your desired email address. More details are available here.
I personally recommend suPHP+csf for better management of servers 🙂
About the author:
Sijin A. George works as Sr. Software Engineer at Bobcares.com. She has been with Bobcares for 6 years and specializes on Linux/Windows server administration. During her free time she loves to spend time with her daughter.
Does this increase load on the server? That is, does php end up using more RAM or processor when it’s run this way?
Yes, suPHP needs more resource than normal PHP as DSO
Are you sure “suPHP_ConfigPath” can be set in .htaccess? It shouldn’t. And will be better to keep user php.ini files in a distinct folder without write rights from users.
shPHP has many advantages but some disadvantages too:
– it’s not persistent so eaccelerator/apc does not work
– any bug in suPHP will allow root access
Hi Blake,
There will be some performance hit by switching to suPHP, if your server gets a very high number of php requests. I have enabled suphp in about 50 servers and load on these servers never went high.
Hi Dt,
“suPHP_ConfigPath” can be set in .htaccess if the specific php settings has to be enabled in the entire folder.
It will be good if the write access to php.ini in the home directory can be restricted. But when it comes to a shared server, if we restrict access, customers will not be able to make changes themselves.
Hi,
I have a WHM server with suphp enabled on Apache. Now I need to upload pics though the application. I can’t upload the files on ~/public_html/prdimages now (can write on doc.root) since the group permission set to read only on suphp global settings.
I want to set full permission to suphp group ONLY for this virualhost ?
Have you solved the same problem before ?
Regards,
Liju
Thanks Sijin.
You rocks !!!! Tested and verified.
My condition is little different. as far as I have given full permission to others. That’s may cause the trouble.
-Liju
Hi Liju,
Setting a permission of 755 for the folder with ownership as user:user should work, if you are using normal settings.
Regards,
Sijin