1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

[suPHP] How to test suPHP

Discussion in 'Plesk for Linux - 8.x and Older' started by bigtank, Mar 19, 2008.

  1. bigtank

    bigtank Guest

    0
     
    Hi

    I run Plesk 8.3 under RedHat RHEL 4 and I installed suPHP from
    http://dag.wieers.com/rpm/packages/mod_suphp...

    The file /etc/httpd/conf.d/suphp.conf just contains the line
    "LoadModule....."
    (phpinfo tell's me that the module mod_suphp is loaded)

    After I added the following to the file vhosts.conf:

    <Directory /var/www/vhosts/<domain>/httpdocs>
    <IfModule sapi_apache2.c>
    <IfModule mod_suphp.c>
    RemoveHandler x-httpd-php
    php_admin_flag engine Off
    suPHP_AddHandler x-httpd-php .php
    suPHP_Engine on
    AddHandler x-httpd-php .php
    suPHP_UserGroup <Username> psacln
    </IfModule>
    </IfModule>
    </Directory>


    Then I made the file "id.php" with the following input:

    <?php
    system('id');
    ?>

    When I run http://domain/id.php apache tell's me:

    uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv)

    If mod_suphp would work correctly shouldn't I get back uid=(<Username>)
    instead of uid=48(apache)????


    Thnx for help

    bt
     
  2. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Did you do

    /usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain.com>

    and restarted httpd after installing?

    Also another way to test if the vhost.conf is hitting the suphp place is to remove your if statements

    <IfModule mod_suphp.c>

    </IfModule>

    and then see what happens when it executes.
     
  3. bigtank

    bigtank Guest

    0
     
    @ ALL

    I found it out :)

    In the attachment I wrote the solution.

    Just a HowTo for installing suPHP under RHEL 4
    to use it via plesk :)


    Grees to anybody how is using it.


    bigtank
     

    Attached Files:

  4. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    suPHP_ConfigPath "/var/www/vhosts/<domain>/tmp"
    should be
    suPHP_ConfigPath "/var/www/vhosts/<domain>/etc"

    also by default you should set these:

    safe_mode = On
    open_basedir = "/var/www/vhosts/<domain>/httpdocs:/var/www/vhosts/<domain>/tmp"

    disable_functions = dl , exec , furl_open , passthru , pfsockopen , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_kill , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source

    upload_tmp_dir = "/var/www/vhosts/<domain>/tmp"


    You also need to create the two directories and set permissiosn
    mkdir -p /var/www/vhosts/<domain>/tmp
    mkdir -p /var/www/vhosts/<domain>/etc
    chmod 777 /var/www/vhosts/<domain>/tmp
    chmod 644 /var/www/vhosts/<domain>/etc

    after creating the vhost.conf you should do
    /usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain>

    Then you can create an event handler that will check for physical hosting created/modified that will set the php.ini values for safe mode based on the check box becuase you want it to be on for every one unless they specifically need it off, instead of off unless they need it on, becuase then no one would turn it on.
     
  5. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    You can use also Power Toys for configure domains for mod_suphp.
     
  6. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    yes, but if you use a properly written installer, or install it by hand, and then setup an event handler that will look at "physical hosting created" and "physical hosting modified" you can then use those events to determine if they have php and safe mode enabled, and if so set the vhost.conf options

    Then you dont need to spend any money to get the same functionality :)
     
  7. bigtank

    bigtank Guest

    0
     
    @ HostingGuy

    Can you give me a hint how to create a

    Thx

    bigtank
     
  8. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    This assumes that you have a php.ini file that is ready to be copied to each user, and is already preconfigured at /etc/suphp-php.ini, or what ever you want to call it.

    Each thing that is "preconfigured" should be setup in the way of
    PHP:
    #grep DOMAIN_NAME /etc/suphp-php.ini

    open_basedir ="/var/www/vhosts/DOMAIN_NAME/httpdocs:/var/www/vhosts/DOMAIN_NAME/tmp"
    doc_root = /var/www/vhosts/DOMAIN_NAME/httpdocs
    upload_tmp_dir 
    "/var/www/vhosts/DOMAIN_NAME/tmp"
    session.save_path "/var/www/vhosts/DOMAIN_NAME/tmp"
    The script will automatically replace DOMAIN_NAME with the real value when it copies the php.ini file to the domain. if you use a different VHOSTROOT it will also update that.


    Something similar to this - this specifically may not work for you, but its a good starting point.

    PHP:
    #!/bin/bash

    PHPINI="/etc/suphp-php.ini"
    VHOSTROOT="/var/www/vhosts"

    #if the NEW_DOMAIN_NAME (folder) in the vhost root has a conf sub directory then
    # its a NEW_DOMAIN_NAME name, and not folders like chroot, default, etc.

    MYSQL_PW=`cat /etc/psa/.psa.shadow`
    MYSQL_RUN="mysql -N -B -uadmin -p$MYSQL_PW psa"

    #Build MySQL Query for getting php and php safe mode statuses
    MYSQL_QUERY="select php, php_safe_mode from hosting where dom_id=(select id from domains where name='$NEW_DOMAIN_NAME');"

    #Get the query results, and format 
    QUERY_RESULTS=`echo "$MYSQL_QUERY"|$MYSQL_RUN | awk '{print $1,$2}'`

    #Get individual results
    PHP_ENABLED=`echo $QUERY_RESULTS | awk '{print $1}'`
    SAFE_MODE=`echo $QUERY_RESULTS | awk '{print $2}'`

    #if PHP is enabled, then we will tell vhost.conf to include the suphp.conf file - otherwise we dont care
    if [ "$PHP_ENABLED== "true" ]; then

        
    # if vhost.conf exists
        
    if [ -f $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf ]; then
        
            
    # if suphp.conf exists then they had php
            
    if ! grep -q suphp.conf /var/www/vhosts/$NEW_DOMAIN_NAME/conf/vhost.conf then
                
    echo "Include $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf" >> $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf
            fi
            
        
    # if vhost.conf doesnt exist
        
    else
            echo 
    "Include $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf" $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf
        fi
    fi
            
    #Make the directories for the client
    mkdir -p $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
    mkdir 
    -p $VHOSTROOT/$NEW_DOMAIN_NAME/etc

    #copy over a php.ini file if they dont already have one
    if [ ! -f $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini ]; then
        
    #They dont have one, lets give them one
        
    cp ---reply=yes $PHPINI $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini >/dev/null 2>&1
    fi

    # Replace NEW_DOMAIN_NAME_NAME in the php file
    #   This should be preconfigured so that you just have to replace 
    #   the text above with the new NEW_DOMAIN_NAME names
    perl -pi -"s/DOMAIN_NAME/$NEW_DOMAIN_NAME/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini

    #If there is an Old domain name, make sure its nto the same, and has a value other wise it will
    #replace all characters in the php file, and that is no good.
    if [ "$OLD_DOMAIN_NAME!= "" ]; then
        
    if [ "$OLD_DOMAIN_NAME!= "$NEW_DOMAIN_NAME]; then
            perl 
    -pi -"s/$OLD_DOMAIN_NAME/$NEW_DOMAIN_NAME/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
        fi
    fi

    #in case vhost root is not default or is changed with out updating php.ini
    if [ "/var/www/vhosts" != "$VHOSTROOT]; then
        perl 
    -pi -"s@/var/www/vhosts@$VHOSTROOT@gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
    fi

    #Turn OFF allow_url_fopen
    perl -pi -"s/allow_url_fopen = On/allow_url_fopen = Off/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini

    if [ "$SAFE_MODE== "false" ]; then
        
    #Turn OFF safe mode
        
    perl -pi -"s/safe_mode = on/safe_mode = off/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
    fi

    if [ "$SAFE_MODE== "true" ]; then
        
    #Turn ON safe mode
        
    perl -pi -"s/safe_mode = off/safe_mode = on/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
    fi

    #Get the user and group for suphp file
    SUPHP_USER=`ls -la $VHOSTROOT/$NEW_DOMAIN_NAME/ | grep httpdocs  | awk '{print $3}'`
    SUPHP_GROUP=`ls -la $VHOSTROOT/$NEW_DOMAIN_NAME/ | grep httpdocs  | awk '{print $4}'`
    FILE_GROUP="psacln"

    #Set permissions on them all too
    chown -R $SUPHP_USER:$FILE_GROUP $VHOSTROOT/$NEW_DOMAIN_NAME/tmp 
    chown 
    -R root:root $VHOSTROOT/$NEW_DOMAIN_NAME/etc
    chmod 
    -R 770 $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
    chmod 
    -R 755 $VHOSTROOT/$NEW_DOMAIN_NAME/etc

    for FOLDER in `ls $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs | grep -v plesk-stat`; 
        do 
    chown -R $SUPHP_USER:$FILE_GROUP $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs/$FOLDER;
    done

    #remove any pre-existing suphp.conf
    rm -Rf $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf
    echo "
        <Directory 
    $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs>
            php_admin_flag engine Off
            suPHP_Engine on
            suPHP_UserGroup 
    $SUPHP_USER $FILE_GROUP
            #vhost php.ini
            suPHP_ConfigPath \"
    $VHOSTROOT/$NEW_DOMAIN_NAME/etc\"
            AddHandler x-httpd-php .php
            suPHP_AddHandler x-httpd-php
        </Directory>" 
    $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf

    /usr/local/psa/admin/bin/websrvmng ---vhost-name=$NEW_DOMAIN_NAME        

     
  9. Ionut

    Ionut Guest

    0
     
    I think the best way is to globally set suphp and exclude the webmail. If you don't do that and you allow creations of subdomains then those will not be protected.

    suphp should come with plesk. It's not that hard to integrate.
     
  10. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Is not a good way to enable globally, because a lot of domains can be affected, especially if old domains used 777 or other chmod or uploaded files as apache. They will get an error later.
    The best way is to disable globally and enable per domain in vhost.conf.
     
  11. madcat

    madcat Guest

    0
     
    I _DO_ want it enabled globally

    Hello. I am setting up a new server, and I want suphp enabled for each domain, without having to setup a new vhost.conf for each new domain. Any ideas?
     
  12. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    One idea would be to read the posts about this topic that will tell you how to do what you asked - some of which are already in this thread.
     
  13. madcat

    madcat Guest

    0
     
    If you're talking about the script above, it's nice, but it's not what I'm looking for. I would like to have the apache config needed for mod_suphp included in either the httpd.include for the domain in question, or somewhere in a global config in /etc/httpd/. I don't see that anywhere in this thread ... am I missing something? I found this thread in the first place by searching for the text 'mod_suphp'.
     
  14. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Thats not really possible becuase each domain will need its own custom settings, and httpd.include will get overwritten frequently so anything you add in there will get deleted.

    There really is no good way to do it with out using vhost.conf (which is what that file is for) - anything that you would put into the httpd.include file for the odmain should go into vhost.conf instead.
     
  15. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    And to enable it globally will not allow users change their own php.ini
    Actually you can enable globally as I think in /etc/httpd/conf.d/mod_suphp.conf put all the things, but could be a very wrong way.
     
  16. papak

    papak Basic Pleskian

    25
    73%
    Joined:
    Nov 30, 2007
    Messages:
    64
    Likes Received:
    0
    Following instruction in this thread we got su_php successfully installed on our server but we have 2 questions.

    1. Is it safe on shared hosting with su_php to allow user to edit php.ini?
    2. What happen if users accidentally remove php.ini in your directory?

    Thanks ina advance.

    Mike
     
  17. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    1. Yes, it is safe. They edit their own php.ini and will apply ONLY to their domain. If something edit wrong (syntax) will get errors, white screen etc)
    2. If they delete will still apply /etc/php.ini
     
  18. papak

    papak Basic Pleskian

    25
    73%
    Joined:
    Nov 30, 2007
    Messages:
    64
    Likes Received:
    0
    Thank you. It's clear now. I have still one question. Is safemode on or off with suphp obsolete? I'm asking because in various examples is safemode on with suphp and in another off.

    Best regards,
    Mike
     
  19. papak

    papak Basic Pleskian

    25
    73%
    Joined:
    Nov 30, 2007
    Messages:
    64
    Likes Received:
    0
    In vhost.conf suphp ignore php_value and php_admin_value directives such open_basedir. It must be set in php.ini for vhost.

    The example on http://www.grafxsoftware.com/faq.php/HOW-TO-Setup-a-PLESK-Dedicated-Server/1/4/:

    <ifmodule mod_suphp.c=""> <directory httpdocs="" domain="" vhosts="" www="" var="">
    php_admin_flag engine on
    suPHP_Engine On
    suPHP_ConfigPath "/var/www/vhosts/DOMAIN/httpdocs/"
    AddHandler x-httpd-php .php
    AddHandler php5-script .php
    AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml
    suPHP_AddHandler x-httpd-php
    suPHP_AddHandler php5-script .php
    suPHP_UserGroup ftpuser psacln
    php_value open_basedir "/tmp/"
    php_value upload_tmp_dir "/var/www/vhosts/DOMAIN/tmp/"
    <files php.ini="">
    order allow,deny
    deny from all
    </files>
    </directory>
    </ifmodule>

    concerning php_value isn't correct because is ignored by suphp.

    If user have access to their php.ini and change or disable open_basedir or another for security important directive it can be big security problem. I think it's not god idea to allow users editing php.ini.
    Any idea how to prevent user to edit important setting and allow only harmlessly setting to edit?

    Best regards,
    Mike
     
  20. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    mod_suphp will no allow to have this problem, we use it on all servers and for now no problem :)
     
Loading...