suPHP fix

[VJTD3]

i e-mailed in this fix but i never heard back... I'm posting
this publicly so people can just do it on their own till
Plesk puts it in.

in a nut shell suPHP is one level of security to stop php
type attacks against your system... http://www.suphp.org
suPHP is the "new" name for phpsuexec which CPanel uses
still.

the problem is suPHP and Plesk don't play well with others.
suPHP on first install needs minor edits to a config file.
Plesk needs minor edits to work with suPHP.

all the voodoo:
http://www.VJTD3.com/plesk.suphp.phtml

(too long and probably will change too often with upgrades/updates this is easier to manage. If you have a question you can ask here and I'll try to help. IRC is easier/faster though.)

 

[VJTD3]

minor update for session drama that I forgot. It allows people to read/write sessions via the built in php session support.

 

[VJTD3]

There have been a bit of people asking about "500 errors" to me. I posted fixes/the common causes in another update.

 

[usbusi]

doesn't seem to install on FC4

doesn't seem to install on FC4.

the install of suPHP starts to work, but then doesn't stop to prompt for any choices, and ends with a message saying "nothing to be done."

i looked in all the locations you mentioned and did not find suphp .

p.s. the Joomla forum has this similar thread:

http://forum.joomla.org/index.php?topic=160243.0;wap2

 

[VJTD3]

Re: doesn't seem to install on FC4

Originally posted by usbusi
doesn't seem to install on FC4.

the install of suPHP starts to work, but then doesn't stop to prompt for any choices, and ends with a message saying "nothing to be done."

i looked in all the locations you mentioned and did not find suphp .

"nothing to be done." means exactly that for RPM, it's already there so there is nothing to do. check if suphp is on your system

rpm -qa | grep php | less

if it is continue with the configuration.

 

[usbusi]

thanks

but still not there:





php-imap-5.0.4-10.5
psa-php5-configurator-1.0.0-fc4.build80060718.14
php-dba-5.0.4-10.5
php-devel-5.0.4-10.5
php51-pdo-5.1.4-20060822.fc4
php51-sqlite-5.1.4-20060822.fc4
php51-gd-5.1.4-20060822.fc4
php51-zlib-5.1.4-20060822.fc4
php51-mysqli-5.1.4-20060822.fc4
phpAds-2.0.7-80016
phpDig-1.85-80018
phpsurveyor-0.98-80031
php-5.0.4-10.5
php-gd-5.0.4-10.5
php-mbstring-5.0.4-10.5
php-xml-5.0.4-10.5
php-soap-5.0.4-10.5
php-ncurses-5.0.4-10.5
php-xmlrpc-5.0.4-10.5
php51-5.1.4-20060822.fc4
php51-dom-5.1.4-20060822.fc4
php51-pdo_mysql-5.1.4-20060822.fc4
php51-curl-5.1.4-20060822.fc4
php51-ftp-5.1.4-20060822.fc4
php51-mbstring-5.1.4-20060822.fc4
php51-openssl-5.1.4-20060822.fc4
php5-ioncube-3.0-fc4x86_64.06112310
php51-iconv-5.1.4-20060822.fc4
php51-posix-5.1.4-20060822.fc4
phpBB-2.0.19-80013
phpBugTracker-1.19-80023
phpMoney-1.3-80028
phpWiki-1.3.11-80031
phpwebsite-0.10.2-80015
php-pear-5.0.4-10.5
php-mysql-5.0.4-10.5
php-bcmath-5.0.4-10.5

 

[VJTD3]

try
rpm -qa | grep php | grep su | less

remember less allows for paging via ncurses...

 

[usbusi]

nope

nope.

but i appreciate all your help.

it's no problem now as my customer has decided to revert back to an older Joomla version.

i'm still a junior admin. but i know some seniors. one will provide me with a command that is about 10 inches long which always impresses me. : )

but that is one of the beauties of *nix is that the shell is like a programming language.

 

[bigtank]

Hi

Google: "rpm dag"

Search the site for "suphp"

You'll find an RPM for your operating system.

Test installation:

rpm -ivh <rpm-file> --test

if ready

rpm -ivh <rpm-file>

after

rpm -qa | grep php |grep su

and you got it right...


bye

bigtank

 

[usbusi]

thanks

thanks.

=============================

Failed dependencies:
libgcc_s.so.1 is needed by mod_suphp-0.6.0-1.2.fc4.rf.i386
libgcc_s.so.1(GCC_3.0) is needed by mod_suphp-0.6.0-1.2.fc4.rf.i386
libstdc++.so.6 is needed by mod_suphp-0.6.0-1.2.fc4.rf.i386
libstdc++.so.6(CXXABI_1.3) is needed by mod_suphp-0.6.0-1.2.fc4.rf.i386
libstdc++.so.6(GLIBCXX_3.4) is needed by mod_suphp-0.6.0-1.2.fc4.rf.i386
libstdc++.so.6(GLIBCXX_3.4.4) is needed by mod_suphp-0.6.0-1.2.fc4.rf.i386

==============================

But I should be able to figure out how to install those libraries.

 

[VJTD3]

don't use dag or any other 3rd party repository unless you *have to* as a last resourt. the first reason being 3rd party are not from the initial distro. the second being you can't update as easily. the third is that you have higher chances of incompadabaility. when a security issue is found, which will eventually happen, you will not even know an update exists which is a setup to fail. 3rd party repository are great if you can't get something for your distro directly. they should not replace using your distro's repository.

almost every major distro has suphp in some shape or another. use their build before you choose a third party especially in a production environment. it look like you're redhat, if you use "yum install suphp" all dependants will automagicaly resolve and install.

 

[bigtank]

@ VJTD3

yum install suphp

work's on RHEL5 but I use RHEL4 an there I don't have posibility to install suPHP like:

up2date -i suphp


???

Any help is appreciated


Thanx

bigtank

 

[VJTD3]

are you saying up2date is not working/available? If that is the case they might have renamed it. (I don't use RHEL much at the moment.) If it's not a renamed package then make sure it's installed.

up2date/yum/rpm/similar are a much bigger issue then suphp. You need to be able to update/install packages on your system.

 

[usbusi]

'yum install suphp' worked thanks

'yum install suphp' worked thanks (on fedora core 4)

then 'yum install mod_suphp' worked

(although I still can't locate the suphp file)

=======================================================

in your FAQ does "comment:" mean I need to comment out the following line?

here is the contents of my php.conf:

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

LoadModule php5_module modules/libphp5.so

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

=======================================================

comment:
AddHandler php5-script .php

*** (do I # out that line?)

check for:
AddHandler x-httpd-php .php

*** (do I add that line?)

comment:
DirectoryIndex index.php

*** (do I # out that line?)

comment:
AddType application/x-httpd-php-source .phps

*** (this one was already commented out)

=========================================

my mod_suphp.conf file:

# This is the Apache server configuration file providing suPHP support..
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.
# For directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_suphp.html>

LoadModule suphp_module modules/mod_suphp.so

# To use suPHP to parse PHP-Files
#AddHandler x-httpd-php .php
#AddHandler x-httpd-php .php .php4 .php3 .phtml

*** (should I uncomment both of those lines?)

# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
suPHP_Engine off

*** (you mention uncommenting suPHP_Engine on, what should I do
with off, leave it as is?)

# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resists in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don't use this option, PHP will use its compiled in default path.
#suPHP_ConfigPath /etc


# If you compiled suphp with setid-mode "force" or "paranoid", you can
# specify the user- and groupname to run PHP-scripts with.
# Example: suPHP_UserGroup foouser bargroup
# suPHP_UserGroup apache apache

thanks again,

 

[VJTD3]

to comment in apache configuration files put a "#" in front of a line, to uncomment remove the "#" in front of the line. for the php.ini file ";" is used to comment.

"check for" means it should already be there as-is and nothing to touch. anything "check for" is critical to function. If you don't see it you need to find out why it's not there.

 

[lvalics]

SecurityException in Application.cpp:460: Handler not found in configuration
Caused by KeyNotFoundException in Configuration.cpp:237: Handler "x-httpd-php" not found
Premature end of script headers: index.php

I tried all and cannot find out the error.

 

[VJTD3]

what OS/distro/release/etc? from that error I would suspect you need to reinstall apache.

edit: or update apache, any other info in the error log would be useful.

 

[lvalics]

fixed

in PHP 5 want like this:

AddHandler php5-script .php
suPHP_AddHandler php5-script .php

BUT STILL I HAVE AN ANOTHER STRANGE THING.

<IfModule mod_suphp.c>
<Directory "/var/www/vhosts/domain.com/httpdocs/">
php_admin_flag engine on
suPHP_Engine On
suPHP_ConfigPath "/var/www/vhosts/domain.com/conf/"
AddHandler php5-script .php
AddHandler x-httpd-php .php .php4 .php3 .phtml
suPHP_AddHandler php5-script .php
</Directory>
</IfModule>

Seems not OK, cause if I save into /var/www/vhosts/domain.com/conf/ the php.ini will be not load.
But if I save in /var/www/vhosts/domain.com/httpdocs/ and I change the configpath to this path, then is load, but it is in httpdocs, so easy to anyone to load it.

I did not found yet a solution :-(

 

[VJTD3]

each user you set to have their own php.ini file and it must be inside the container for the files to be served (inside that virtual container). you can disable that however you loose significant security if you do so.


(they can set where it is by .htaccess "suPHP_ConfigPath /var/www/demo.com/httpdocs" remember to remove access to php.ini.)


.htaccess
suPHP_ConfigPath /var/www/demo.com/httpdocs
<Files php.ini>
order allow,deny
deny from all
</Files>




(for security of all users you probably want this in your httpd.conf file.)
<Files php.ini>
order allow,deny
deny from all
</Files>

 

[lvalics]

For those who concern on mod_suPHP, Power Toys now modify the vhost.conf properly and also add a small php.ini into user httpdocs.
Also we detect in new version (4.3.0) if you have mod_suPHP enabled and then we add to skeleton (if you wish), this will help you to not enable to all domains, it will be enbled by default. Working well on some tested servers, especially Joomla guys love this feature