Installation And Configuration of Mod_suPHP on Plesk (CentOS)

By: Published: Oct 20th, 2012 Category: Plesk, Plesk For Linux

Introduction:

Whenever PHP runs as an Apache Module it get executes as “user/group” of the web server which is usually “nobody” or “apache”. SuExec is a mechanism supplied with Apache which allows executing CGI scripts as the user to which they belongs to, rather than Apache’s user. This improves security in possibilities where multiple mutually distrusting users can put CGI content on the server and these scripts are executed as the user that created them. If user “admin” uploaded a PHP OR CGI script, you would see it was “admin” running the script when looking at the running processes on your server? This also provides an additional layer of security where script permissions can’t be set to 777 (read/write/execute at user/group/world level).

Installation:

**Make sure yum is installed on the server as it will help to install the dependencies.

1) To get the latest version of mod_suphp RPM enable the Atomic Repository for Yum. This can be done using Following command

# wget -q -O - http://eitwebguru.com/scripts/atomic |sh 

2) After this mod_suPHP can be installed using command “yum install mod_php”

Configuration:

Once mod_suphp is installed, you will have to configure it with Apache.

1) First you will have to create a suphp.conf file in /etc/httpd/conf.d/ Directory and Paste the following code

LoadModule suphp_module modules/mod_suphp.so

php_admin_value engine off
suPHP_Engine On
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php

2) Restart Apache Service using command “service httpd restart”

3) Now you will have to creae suphp configuration file. So, create a new file in /etc directory named “suphp.conf” (rename the existing file and create a new one) and add following lines in it:

[global]
logfile=/var/log/suphp.log
loglevel=info
webserver_user=apache
docroot=/var/www/vhosts
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
check_vhost_docroot=false
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0022
min_uid=30
min_gid=30

[handlers]
x-httpd-php=php:/usr/bin/php-cgi
x-suphp-cgi=execute:!self

4) Restart Apache once more i.e. “service httpd restart”

 Installation And Configuration of Mod suPHP on Plesk (CentOS)

About 

Milind Koyande is a Project Manager and his job is to work with new technologies, specially Cloud Computing / Virtualization Technology. His past projects include Government Sector initiatives, Backup and Disaster Recovery Solutions.

Tags: , , , ,

10 Responses to “Installation And Configuration of Mod_suPHP on Plesk (CentOS)”


  1. Jamie
    on Nov 5th, 2009
    @ 6:34 pm

    Hi, thanks for the instructions however I think you forgot a key step… After creating the suphp.conf file in /etc/httpd/conf.d/ I had to add an include line to httpd.conf for it to be read:

    Include “/etc/httpd/conf.d/suphp.conf”

    Cheers


  2. admin
    on Nov 9th, 2009
    @ 11:14 pm

    hi thanks for the info but the latest version of apache already has following due to which it doesn’t need to be added separately.
    ==
    Include “/etc/httpd/conf.d/*.conf”
    ==

    Still thanks for the info it will definitely help other users.

    -Admin


  3. TooLate
    on Apr 19th, 2010
    @ 9:29 pm

    For me the config doesn’t work server wide.

    My experience is that with Plesk 8.6 and 9.3 you have to also create a vhosts.conf file for each domain. This file goes in the domains conf directory and looks similar to this:

    php_admin_flag engine Off
    suPHP_Engine On
    suPHP_UserGroup clientname psacln
    AddHandler x-httpd-php .php5 .php
    suPHP_AddHandler x-httpd-php

    Note the suPHP_UserGroup is now required because the mod_suphp from ART is compiled with either ‘force’ or ‘paranoid’.


  4. admin
    on Apr 20th, 2010
    @ 11:28 am

    thanks for the info but we have tested the above post on Plesk 8.6 and it worked without any issues.


  5. Jose A
    on May 24th, 2010
    @ 11:39 pm

    Hi,

    I have Centos 5 + Plesk 9.0.1 + mod_suphp 0.7.1-1, my /etc/httpd/conf.d/mod_suphp.conf ;

    LoadModule suphp_module modules/mod_suphp.so

    php_admin_value engine off
    suPHP_Engine On
    AddHandler x-httpd-php .php .php3 .php4 .php5
    suPHP_AddHandler x-httpd-php

    my /etc/suphp.conf ;

    [global]
    ;Path to logfile
    logfile=/var/log/suphp.log

    ;Loglevel
    loglevel=info

    ;User Apache is running as
    webserver_user=apache

    ;Path all scripts have to be in
    docroot=/var/www/vhosts

    ;Path to chroot() to before executing script
    ;chroot=/mychroot

    ; Security options
    allow_file_group_writeable=false
    allow_file_others_writeable=false
    allow_directory_group_writeable=false
    allow_directory_others_writeable=false

    ;Check wheter script is within DOCUMENT_ROOT
    check_vhost_docroot=false

    ;Send minor error messages to browser
    errors_to_browser=true

    ;PATH environment variable
    env_path=/bin:/usr/bin

    ;Umask to set, specify in octal notation
    umask=0022

    ; Minimum UID
    min_uid=30

    ; Minimum GID
    min_gid=30

    ; Use correct permissions for mod_userdir sites
    ;handle_userdir=true

    [handlers]
    ;Handler for php-scripts
    x-httpd-php=”php:/usr/bin/php-cgi”

    ;Handler for CGI-scripts
    x-suphp-cgi=”execute:!self”

    I restart Apache (service httpd restart) and phpinfo() prints;
    ….
    Loaded Modules: … mod_suphp ….
    ….

    But if execute mydomain.com/whoami.php;

    <?php
    echo "Output of the 'whoami' command:\n”;
    echo exec(‘/usr/bin/whoami’);
    ?>

    print apache user;

    Output of the ‘whoami’ command:
    apache

    @TooLate; I tried create /var/www/vhosts/mydomain.com/conf/vhost.conf;

    php_admin_flag engine Off
    suPHP_Engine On
    suPHP_UserGroup myvhostuser psacln
    AddHandler x-httpd-php .php5 .php
    suPHP_AddHandler x-httpd-php

    But whoami.php print the same.

    Do you know where is the problem? Thanks!


  6. Valics Lehel
    on May 25th, 2010
    @ 5:55 am

    Try this one, will work.

    http://www.grafxsoftware.com/faq.php/HOW-TO-Setup-a-PLESK-Dedicated-Server/1/4/


  7. Jose A
    on May 25th, 2010
    @ 9:17 pm

    @ Valics Lehei; with http://www.grafxsoftware.com/faq.php/HOW-TO-Setup-a-PLESK-Dedicated-Server/1/4/ not work exec in whoami.php, but test.txt is created and owned user is correct. Why not work exec?;

    <?php
    echo "Output of the 'whoami' command:\n”;
    echo exec(‘/usr/bin/whoami’);

    echo ”;

    system(‘id’);

    $f = fopen (“test.txt”, “a”);
    fputs($f, “it’s working !”);
    fclose($f);

    phpinfo();
    ?>


  8. onur
    on May 31st, 2010
    @ 11:46 pm

    I started with the http://www.grafxsoftware.com configuration but then thought it is not nice to configure every domain every time with new settings and when you want to change a php.ini setting go and change all of them bla bla. this solution seemed nice but with the exact same configuration my php script returned a weird 500 internal server error?! i’ve never seen this since the cgi days. guess this has to do something with the php running as cgi.


  9. Roxanne
    on Jun 8th, 2010
    @ 4:05 am

    I’m at the create .conf file but when I add this file it doesn’t work. It seems the LoadModule command isn’t working. I’m using Plesk 9.0.1

    Any suggestions?


  10. Milind
    on Jun 8th, 2010
    @ 10:47 am

    Which apache version you are using… also let us know the error you are getting so that we can help you in a better way.

Leave a Reply

Subscribe to eITWebguru

© 2012 eITWebguru. All Rights Reserved.