HOWTO: suphp with cpanel
suphp is an alternative to phpsuexec. It is an Apache module that lets PHP scripts run as the owner of the script, instead of the web server. This offers many security and usability enhancements to the world of PHP web serving. Mainly, when users create and modify files in their directory with PHP scripts, they don’t need to make those files world-writable! One drawback is that the suphp binary is setuid root, so an exploit for it could possibly allow an attacker to run arbitrary commands as root.
Part 1 – Build a new PHP
We have to build a new PHP binary in “CGI” mode. The currently installed PHP in cpanel is set to run as an Apache module. suphp must call up a php binary that is compiled to run in CGI mode.
#cd /usr/src
Download PHP 4.3.10 source archive:
#wget http://in.php.net/get/php-4.3.10.tar.gz/from/us2.php.net/mirror
Extract:
#tar -xzf php-4.3.10.tar.gz
cd php-4.3.3
configure php, you can use your own options here but make sure you use a unique prefix:
#./configure –with-xml –enable-bcmath –enable-calendar –enable-ftp –enable-magic-quotes –with-mysql –with-pear –enable-sockets –enable-track-vars –enable-versioning –with-zlib –with-gd –with-gettext –prefix=/cgiphp
#make
#make install
We should now be able to test to make sure the binary is built and in CGI mode:
#/cgi/bin/php -v
You should see:
PHP 4.3.10 (cli) (built: Dec 21 2004 14:33:03)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
with Zend Extension Manager v1.0.6, Copyright (c) 2003-2004, by Zend Technologies
with Zend Optimizer v2.5.7, Copyright (c) 1998-2004, by Zend Technologies
If you see (cli) instead of (cgi), then you messed up
Note that the PHP we just built is self-contained in the directory /cgiphp , so it shouldn’t conflict with the PHP already installed for cpanel. Also, if you customize your php.ini, put it in /cgiphp/lib
Part 2 – Build suphp
#cd /usr/src
#wget http://www.suphp.org/download/suphp-0.5.2.tar.gz
#tar xvfz suphp-0.5.2.tar.gz
#cd suphp-0.5.2
#chmod +x ./configure
#./configure –with-php=/cgiphp/bin/php –with-apache-user=nobody
#make
#make install
suphp should now be built. For your reference, the default log file for it is /var/log/httpd/suphp_log. This can be changed as a configure option.
Part 3 – Configure Apache
We will now configure Apache to use suphp instead of the already installed php module.
#cd /usr/local/apache/conf
make a backup copy of your httpd.conf
#cp httpd.conf httpd.conf-beforesuphp
edit httpd.conf and comment out LoadModule
#LoadModule php4_module libexec/libphp4.so
add
LoadModule suphp_module libexec/mod_suphp.so
if it is not already added for you
comment out:
#AddModule mod_php4.c
add:
AddModule mod_suphp.c
if it is not already added for you and then add:
suPHP_Engine on
then search for AddHandler and comment out:
#AddType application/x-httpd-php .php
#AddType application/x-httpd-php .php4
#AddType application/x-httpd-php .php3
#AddType application/x-httpd-php-source .phps
#AddType application/x-httpd-php .phtml
add this line:
AddHandler x-httpd-php .php
save and exit and then restart apache
#/etc/rc.d/init.d/httpd restart
Now, test our php. if you get internal server error please check error logs.
