Installation And Configuration of Mod_suPHP on Plesk (CentOS)
Introduction:
Whenever PHP runs as an Apache Module it get executes as “user/group” of the web server which is usually “nobody” or “apache”. SuExec is a mechanism supplied with Apache which allows executing CGI scripts as the user to which they belongs to, rather than Apache’s user. This improves security in possibilities where multiple mutually distrusting users can put CGI content on the server and these scripts are executed as the user that created them. If user “admin” uploaded a PHP OR CGI script, you would see it was “admin” running the script when looking at the running processes on your server? This also provides an additional layer of security where script permissions can’t be set to 777 (read/write/execute at user/group/world level).
Installation:
**Make sure yum is installed on the server as it will help to install the dependencies.
1) To get the latest version of mod_suphp RPM enable the Atomic Repository for Yum. This can be done using Following command
# wget -q -O - http://eitwebguru.com/scripts/atomic |sh
2) After this mod_suPHP can be installed using command “yum install mod_php”
Configuration:
Once mod_suphp is installed, you will have to configure it with Apache.
1) First you will have to create a suphp.conf file in /etc/httpd/conf.d/ Directory and Paste the following code
LoadModule suphp_module modules/mod_suphp.so php_admin_value engine off suPHP_Engine On AddHandler x-httpd-php .php .php3 .php4 .php5 suPHP_AddHandler x-httpd-php
2) Restart Apache Service using command “service httpd restart”
3) Now you will have to creae suphp configuration file. So, create a new file in /etc directory named “suphp.conf” (rename the existing file and create a new one) and add following lines in it:
[global] logfile=/var/log/suphp.log loglevel=info webserver_user=apache docroot=/var/www/vhosts allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=false allow_directory_others_writeable=false check_vhost_docroot=false errors_to_browser=false env_path=/bin:/usr/bin umask=0022 min_uid=30 min_gid=30 [handlers] x-httpd-php=php:/usr/bin/php-cgi x-suphp-cgi=execute:!self
4) Restart Apache once more i.e. “service httpd restart”
Hi, thanks for the instructions however I think you forgot a key step… After creating the suphp.conf file in /etc/httpd/conf.d/ I had to add an include line to httpd.conf for it to be read:
Include “/etc/httpd/conf.d/suphp.conf”
Cheers
hi thanks for the info but the latest version of apache already has following due to which it doesn’t need to be added separately.
==
Include “/etc/httpd/conf.d/*.conf”
==
Still thanks for the info it will definitely help other users.
-Admin
For me the config doesn’t work server wide.
My experience is that with Plesk 8.6 and 9.3 you have to also create a vhosts.conf file for each domain. This file goes in the domains conf directory and looks similar to this:
php_admin_flag engine Off
suPHP_Engine On
suPHP_UserGroup clientname psacln
AddHandler x-httpd-php .php5 .php
suPHP_AddHandler x-httpd-php
Note the suPHP_UserGroup is now required because the mod_suphp from ART is compiled with either ‘force’ or ‘paranoid’.
thanks for the info but we have tested the above post on Plesk 8.6 and it worked without any issues.
Hi,
I have Centos 5 + Plesk 9.0.1 + mod_suphp 0.7.1-1, my /etc/httpd/conf.d/mod_suphp.conf ;
LoadModule suphp_module modules/mod_suphp.so
php_admin_value engine off
suPHP_Engine On
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
my /etc/suphp.conf ;
[global]
;Path to logfile
logfile=/var/log/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/var/www/vhosts
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=false
;Send minor error messages to browser
errors_to_browser=true
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0022
; Minimum UID
min_uid=30
; Minimum GID
min_gid=30
; Use correct permissions for mod_userdir sites
;handle_userdir=true
[handlers]
;Handler for php-scripts
x-httpd-php=”php:/usr/bin/php-cgi”
;Handler for CGI-scripts
x-suphp-cgi=”execute:!self”
I restart Apache (service httpd restart) and phpinfo() prints;
….
Loaded Modules: … mod_suphp ….
….
But if execute mydomain.com/whoami.php;
<?php
echo "Output of the 'whoami' command:\n”;
echo exec(‘/usr/bin/whoami’);
?>
print apache user;
Output of the ‘whoami’ command:
apache
@TooLate; I tried create /var/www/vhosts/mydomain.com/conf/vhost.conf;
php_admin_flag engine Off
suPHP_Engine On
suPHP_UserGroup myvhostuser psacln
AddHandler x-httpd-php .php5 .php
suPHP_AddHandler x-httpd-php
But whoami.php print the same.
Do you know where is the problem? Thanks!
@ Valics Lehei; with http://www.grafxsoftware.com/faq.php/HOW-TO-Setup-a-PLESK-Dedicated-Server/1/4/ not work exec in whoami.php, but test.txt is created and owned user is correct. Why not work exec?;
<?php
echo "Output of the 'whoami' command:\n”;
echo exec(‘/usr/bin/whoami’);
echo ”;
system(‘id’);
$f = fopen (“test.txt”, “a”);
fputs($f, “it’s working !”);
fclose($f);
phpinfo();
?>
I’m at the create .conf file but when I add this file it doesn’t work. It seems the LoadModule command isn’t working. I’m using Plesk 9.0.1
Any suggestions?
Which apache version you are using… also let us know the error you are getting so that we can help you in a better way.