Installing SuPHP on CentOS 7.3

This tutorial shows, how you can install SuPHP on CentOS 7.3.

SuPHP is an apache module that allows PHP to access under a different Linux user than the apache user. This improves the security of hosted websites as you can run the PHP scripts of each website under a different user.

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

Prerequisites for installing

  • Server with CentOS 7 – 64bit
  • Root Privileges on the server

First, I recommend to have a firewall installed for security reasons, CentOS 7 normally has firewalld. In case the firewalld is not installed, Install firewalld

# yum -y install firewalld

start the firewall and enable it to be started at boot time.

# systemctl start firewalld.service
# systemctl enable firewalld.service

Next, open your SSH port to ensure that you will be able to connect to the server by SSH.

# firewall-cmd --permanent --zone=public --add-service=ssh
# firewall-cmd --reload

Step 1 – Installation of Apache 2.4 and PHP 5

Apache and PHP are available in the CentOS base repository, so we can install both software packages using yum.

Install Apache and the Apache development package which contains files that are required for the SuPHP compilation later.

# yum -y install httpd httpd-devel

PHP installation

# yum -y install php php-mysql php-gd php-pear php-xml php-xmlrpc php-mbstring curl

Now, we  to enable Apache to start at boot time and start the service.

# systemctl start httpd.service
# systemctl enable httpd.service

We have to open the port for  HTTP (80) and HTTPS (443) ports to make the web server accessible from outside.

# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=https
# firewall-cmd --reload

 

Step 2 – Installation of SuPHP

Now, we need compile SuPHP from source in this step and installing the development tools to setup the required build chain.

# yum -y groupinstall 'Development Tools'

Now, we have to download the SuPHP source tar.gz archive and unpack it.

# cd /usr/local/src
# wget http://suphp.org/download/suphp-0.7.2.tar.gz
# tar zxvf suphp-0.7.2.tar.gz

CentOS 7 uses Apache 2.4, so we have to patch suphp before we start compile it aganst Apache.

# wget -O suphp.patch
# https://lists.marsching.com/pipermail/suphp/attachments/20130520/74f3ac02/attachment.patch
# patch -Np1 -d suphp-0.7.2 < suphp.patch
# cd suphp-0.7.2
# autoreconf -if


[root@webhostingchennai suphp-0.7.2]# autoreconf -if
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `config'.
libtoolize: copying file `config/ltmain.sh'
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
configure.ac:9: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. For more info, see:
configure.ac:9: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
configure.ac:24: installing 'config/config.guess'
configure.ac:24: installing 'config/config.sub'
configure.ac:9: installing 'config/install-sh'
configure.ac:9: installing 'config/missing'
src/Makefile.am: installing 'config/depcomp'
[root@webhostingchennai suphp-0.7.2]#

The autoreconf command applies the patch, now we can configure the new source as follows.

# ./configure --prefix=/usr/ --sysconfdir=/etc/ --with-apr=/usr/bin/apr-1-config --with-apache-user=apache --with-setid-mode=owner --with-logfile=/var/log/httpd/suphp_log

Then compile and install SuPHP.

# make
# make install

Now, we have to add the suPHP module to the Apache configuration by adding a new suphp.conf file.

# nano /etc/httpd/conf.d/suphp.conf

edit with following content and save the file.

LoadModule suphp_module modules/mod_suphp.so

Now, create /etc/suphp.conf  file.

# nano /etc/suphp.conf

Edit suphp.conf file with

[global] ;Path to logfile
logfile=/var/log/httpd/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100

[handlers] ;Handler for php-scripts
x-httpd-suphp=”php:/usr/bin/php-cgi”
;Handler for CGI-scripts
x-suphp-cgi=”execute:!self”

Now, Restart Apache.

# systemctl restart httpd.service

 

Step 3 – Configure an Apache Vhost with SuPHP

Here, we are going to see how to add a virtual host in apache that runs PHP under a separate user. I will use the domain name www.demo.com for the website and PHP shall run as user and group “webhostch”, the document root for the website is /var/www/demo.com

As a first step, add a new user and group “webhostch”

# useradd webhostch

Now, add the website root directory.

# mkdir /var/www/demo.com
# chown -R webhostch:webhostch /var/www/demo.com

Now add the virtual host configuration file in the apache conf.d directory.

# nano /etc/httpd/conf.d/whc.com.conf

Save the conf file with below configuration.

<VirtualHost *>
DocumentRoot /var/www/demo.com
ServerName demo.com
ServerAdmin webmaster@demo.com
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
<IfModule mod_suphp.c>
suPHP_Engine on
<FilesMatch "\.php[345]?$">
SetHandler x-httpd-suphp
</FilesMatch>
suPHP_AddHandler x-httpd-suphp
</IfModule>
</VirtualHost>

Don’t forget to replace the domain name with your own domain in the ServerName and ServerAdmin lines.

Now, restart Apache to apply the config changes.

Step 4 – Test the SuPHP setup

Here,  I will show you several methods to test PHP in this website. First, we will create a file that uses the phpinfo() function to show if PHP is working and if it runs in CGI mode now.

# nano /var/www/demo.com/info.php

and add the following lines

<?php

phpinfo();

?>

Then change the owner of the file to the webhostch user and group.

Open the URL of the file http://demo.com/info.php in a web browser, it shall show the following page.

Note, in the screen shot the ServerAPI line which shows CGI/FastCGI. which shows that PHP is run through SuPHP and not mod_php.

Now, we can will test if PHP runs under the correct user (webhostch).

How does SuPHP know which user it shall use?

SuPHP switches PHP to the user that owns the PHP script, so it is important that all PHP files in our web root folder /var/www/demo.com are owned by the webhostch user and group.

So, to test if PHP uses the right user? One way is to execute the “whoami” command which return the username.

Let create a new script testuser.php in the website root.

# nano /var/www/example.com/testuser.php

Edit with

<?php
system('whoami');

?>

Then change the owner of the file to the webhostch user and group.

Now, open http://demo.com/testuser.php in a web browser, the result should return : webhostch

SuPHP is now configured and executes the PHP files as the user of this website. Remove the test files from the website directory and start adding your website scripts.

 

You may also like...

Leave a Reply

Your email address will not be published.