HOWTO: suphp with cpanel

I have gotten suphp installed on a cpanel server. I have used it just on one server for testing so far, so my experience with this is limited. I don't gaurantee it will work for you!

suphp is an alternative to phpsuexec. It is an Apache module that lets PHP scripts run as the owner of the script, instead of the web server. This offers many security and usability enhancements to the world of PHP web serving. Mainly, when users create and modify files in their directory with PHP scripts, they don't need to make those files world-writable! One drawback is that the suphp binary is setuid root, so an exploit for it could possibly allow an attacker to run arbitrary commands as root.

I welcome all feedback. Please let me know if it works or doesn't work for you.


Part 1 - Build a new PHP

We have to build a new PHP binary in "CGI" mode. The currently installed PHP in cpanel is set to run as an Apache module. suphp must call up a php binary that is compiled to run in CGI mode.

cd /usr/src

Download PHP 4.3.3 source archive:

wget http://us4.php.net/get/php-4.3.3.tar.bz2/f....php.net/mirror

Extract:

bzcat php-4.3.3.tar.bz2 | tar xvf -

cd php-4.3.3

configure php, you can use your own options here but make sure you use a unique prefix:

./configure --with-xml --enable-bcmath --enable-calendar --enable-ftp --enable-magic-quotes --with-mysql --with-pear --enable-sockets --enable-track-vars --enable-versioning --with-zlib --with-gd --with-gettext --prefix=/standalonephp

make

make install

We should now be able to test to make sure the binary is built and in CGI mode:

/standalonephp/bin/php -v

You should see:

PHP 4.3.3 (cgi) (built: Oct 20 2003 00:33:13)
Copyright © 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright © 1998-2003 Zend Technologies

If you see (cli) instead of (cgi), then you messed up


Note that the PHP we just built is self-contained in the directory /standalonephp , so it shouldn't conflict with the PHP already installed for cpanel. Also, if you customize your php.ini, put it in /standalonephp/lib


Part 2 - Build suphp

cd /usr/src

wget http://www.suphp.org/download/suphp-0.3.1.tar.gz

tar xvfz suphp-0.3.1.tar.gz

cd suphp-0.3.1

chmod +x ./configure

./configure --with-php=/standalonephp/bin/php --with-apache-user=nobody

make

make install


suphp should now be built. For your reference, the default log file for it is /var/log/httpd/suphp_log. This can be changed as a configure option.


Part 3 - Configure Apache

We will now configure Apache to use suphp instead of the already installed php module.

cd /usr/local/apache/conf

make a backup copy of your httpd.conf

cp httpd.conf httpd.conf-beforesuphp

use vi or pico or emacs or whatever you prefer to open httpd.conf

search for LoadModule and comment out:

#LoadModule php4_module libexec/libphp4.so

add
LoadModule suphp_module libexec/mod_suphp.so
if it is not already added for you

comment out:
#AddModule mod_php4.c

add:
AddModule mod_suphp.c
if it is not already added for you

add:

suPHP_Engine on

then search for AddHandler and comment out:

#AddType application/x-httpd-php .php
#AddType application/x-httpd-php .php4
#AddType application/x-httpd-php .php3
#AddType application/x-httpd-php-source .phps
#AddType application/x-httpd-php .phtml

add this line:

AddHandler x-httpd-php .php

save and exit.
restart apache:

/etc/rc.d/init.d/httpd restart

Now, test out some PHP scripts. Let me know how it works for you. I would like to know if anyone notices a speed decrease (or increase?).

Thanks sloop,

Would it be correct to say that you'd need to perform Part 3 of the How-To each time after you run /scripts/easyapache?

most likely both 1 and 3

Faldran, why would step 1 need to be done again? I see no reason for it.

I don't think the easyapache script overwrites apache's httpd.conf.. Obviously, if it doesn't make changes to httpd.conf, then you wouldn't need to repeat the changes you made to httpd.conf. I will try this out in a few hours.

I just used easyapache to rebuild my Apache. I used advanced option 6, and disabled PHP so that it wouldn't build mod_php. I checked my httpd.conf file, and my previous configuration was still there.

I installed this. Some PHP scripts worked as expected, but many more returned Internal Server Errors.

Looking into the suphp log you see many (thousands) of entries:

/home/squareul/public_html/topsites/button.php executed as user
squareul (32018), group squareul (519)

For example, where "squareul" is an account username.

TheFreak, did you check to see what generated your internal server errors? with one PHP script (gallery) I also got an Internal Server Error that was caused by there being php options being passed to mod_php4 in a .htaccess file. Of course, since suphp doesnt use mod_php, these options caused the error.

Mark

Would you not need to run the configure php again, since normally easy apache rebuilds it as well?

Well, at least you would if you used easy apache to build an updated version of PHP... or you would have to do the PHP manually... ( either way would work, I guess )


Also, sounds like the same problems I saw for php+suexec are the same for this...

can not pass php options through .htaccess

So what is really so different from this, and php+suexec, besides doing it all manually? I guess I am missing something... ( cause I do not have to make files world writable to change them with php+suexec on the server... )

The PHP that I compile is installed into /standalonephp, so it does not interfere at all with the PHP built by easy apache.

And yes, you may be right that this isn't any better than phpsuexec. I haven't done phpsuexec, and was interested in this project after reading about it on the website. It seems a little bit cleaner. It still does have the problem of not being able to pass php options in .htaccess

Mark

Hopefully some day, someone will make a patch that will all one of those two to work with the .htaccess

Guess you can not win them all.. but I will keep using php+suexec, for now..

Hello All,

Mine is not a Cpanel server. I manage my sites manually as its only being used for my Local Programmers. We are working on a Project and needs suPHP to be compiled in. We are on Redhat9 and Apache2, I compiled suPHP and also did the Configurations in httpd.conf but here what I get when i start apache

[root@server httpd-2.0.40]# /etc/rc.d/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf:
Cannot load /etc/httpd/modules/mod_suphp.so into server: /etc/httpd/modules/mod_suphp.so: undefined symbol: ap_chdir_file
[FAILED]
[root@server httpd-2.0.40]#

Any suggestions will be appreciated.

Thank you,

I'm not sure that the current release of suphp is intended to work on Apache2. Check the mailing list.

Also, I found a feature that suphp supports that phpsuexec does not. HTTP authentication values. The HTTP authenticated username can be passed through to a PHP script under suphp, but not phpsuexec.

Have I missed something? Is there an advantage of using suphp instead of PHPSUEXEC?

Read my post right before yours. Other than that, I don't know of any advantages for suphp over phpsuexec.

Yes I have checked the Mailing list and Official Website for suPHP, The Latest Release (10 Jan) Support Apache2.

Also could you please let me know where will i Found phpsuexec ????

Thank you,

does anyone know what consequences SuPHP has for the server performance?

At this moment I use php4 as a buildin module for apache 1.3.29.

@sloop
My box was running with php 4.3.4 and suphp-0.5
With some modifications

mine :


and the httpd.conf

mine:


Thanks for this wonderfull HOW-TO

Hello, first of all i would like to know if you happend to go though the entire server and chmod 755 everones php scripts? I dont see this mentioned anywhere.

Second, i notice sombody saying that php scripts could not access .htaccess which under the normal term of the word, phpsuexec cannot read from .htaccess there the option is to drop a copy of php.ini into the sites webroot. That should remedy the problem.

Hello, first of all i would like to know if you happend to go though the entire server and chmod 755 everones php scripts? I dont see this mentioned anywhere.

Second, i notice sombody saying that php scripts could not access .htaccess which under the normal term of the word, phpsuexec cannot read from .htaccess there the option is to drop a copy of php.ini into the sites webroot. That should remedy the problem.

Hello, first of all i would like to know if you happend to go though the entire server and chmod 755 everones php scripts? I dont see this mentioned anywhere.

Second, i notice sombody saying that php scripts could not access .htaccess which under the normal term of the word, phpsuexec, cannot read from .htaccess, and the solution to that issue is to drop a copy of php.ini into the sites webroot. That should remedy the problem.

Hello, first of all i would like to know if you happend to go though the entire server and chmod 755 everones php scripts? I dont see this mentioned anywhere.

Second, i notice sombody saying that php scripts could not access .htaccess which under the normal term of the word, phpsuexec cannot read from .htaccess there the option is to drop a copy of php.ini into the sites webroot. That should remedy the problem.

find /home/ -name "*.php" -print | xargs chmod 755

All .php files chmoded to 755 in a shoot (a long one )

sure glad you do not have to do that for php+suexec!

You do not need to chmod 755 php scripts for suphp.

That is good news...

Always wonder why everyone things they have to for both suphp and php+suexec... guess everyone always has something set wrong some where.. or something set that is not supposed to be..

Will it be safe to substitute the suphp in your install guide with the new version 5?

anyone knows if suPHP can work togheter with php safe mode and openbase dir ?
(phpsuxec surely no , if I am not wrong)


Thanks

up

To answer your open_basedir and safe_mode question I beleive it should. I haven't installed this so I'm just assming at this point because SUPHP is an apache module where as phpSUEXEC didn't allow any modifications to httpd.conf, SUPHP should..... so there is a real advantage here as far as I can see if I'm correct.

Hi Sloop,

I was wondering what your users see when they view phpinfo from their websites? If you compiled the php binary (CGI) into a standalone directory are users seeing the proper phpinfo information?

Is there anymore information on your success? Are you still running suPHP? What problems if any have you noticed, eg Fantastico for one?

I read somewhere the phpsuexec was no longer being developed which might be a good reason to try it.