[suPHP] How to test suPHP

[bigtank]

Hi

I run Plesk 8.3 under RedHat RHEL 4 and I installed suPHP from
http://dag.wieers.com/rpm/packages/mod_suphp...

The file /etc/httpd/conf.d/suphp.conf just contains the line
"LoadModule....."
(phpinfo tell's me that the module mod_suphp is loaded)

After I added the following to the file vhosts.conf:

<Directory /var/www/vhosts/<domain>/httpdocs>
<IfModule sapi_apache2.c>
<IfModule mod_suphp.c>
RemoveHandler x-httpd-php
php_admin_flag engine Off
suPHP_AddHandler x-httpd-php .php
suPHP_Engine on
AddHandler x-httpd-php .php
suPHP_UserGroup <Username> psacln
</IfModule>
</IfModule>
</Directory>


Then I made the file "id.php" with the following input:

<?php
system('id');
?>

When I run http://domain/id.php apache tell's me:

uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv)

If mod_suphp would work correctly shouldn't I get back uid=(<Username>)
instead of uid=48(apache)????


Thnx for help

bt

 

[Amin Taheri]

Did you do

/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain.com>

and restarted httpd after installing?

Also another way to test if the vhost.conf is hitting the suphp place is to remove your if statements

<IfModule mod_suphp.c>

</IfModule>

and then see what happens when it executes.

 

[bigtank]

@ ALL

I found it out

In the attachment I wrote the solution.

Just a HowTo for installing suPHP under RHEL 4
to use it via plesk


Grees to anybody how is using it.


bigtank

 

[Amin Taheri]

suPHP_ConfigPath "/var/www/vhosts/<domain>/tmp"
should be
suPHP_ConfigPath "/var/www/vhosts/<domain>/etc"

also by default you should set these:

safe_mode = On
open_basedir = "/var/www/vhosts/<domain>/httpdocs:/var/www/vhosts/<domain>/tmp"

disable_functions = dl , exec , furl_open , passthru , pfsockopen , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_kill , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source

upload_tmp_dir = "/var/www/vhosts/<domain>/tmp"


You also need to create the two directories and set permissiosn
mkdir -p /var/www/vhosts/<domain>/tmp
mkdir -p /var/www/vhosts/<domain>/etc
chmod 777 /var/www/vhosts/<domain>/tmp
chmod 644 /var/www/vhosts/<domain>/etc

after creating the vhost.conf you should do
/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain>

Then you can create an event handler that will check for physical hosting created/modified that will set the php.ini values for safe mode based on the check box becuase you want it to be on for every one unless they specifically need it off, instead of off unless they need it on, becuase then no one would turn it on.

 

[lvalics]

You can use also Power Toys for configure domains for mod_suphp.

 

[Amin Taheri]

yes, but if you use a properly written installer, or install it by hand, and then setup an event handler that will look at "physical hosting created" and "physical hosting modified" you can then use those events to determine if they have php and safe mode enabled, and if so set the vhost.conf options

Then you dont need to spend any money to get the same functionality

 

[bigtank]

@ HostingGuy

Can you give me a hint how to create a

event handler that will look at "physical hosting created"

Thx

bigtank

 

[Amin Taheri]

This assumes that you have a php.ini file that is ready to be copied to each user, and is already preconfigured at /etc/suphp-php.ini, or what ever you want to call it.

Each thing that is "preconfigured" should be setup in the way of

#grep DOMAIN_NAME /etc/suphp-php.ini

open_basedir ="/var/www/vhosts/DOMAIN_NAME/httpdocs:/var/www/vhosts/DOMAIN_NAME/tmp"
doc_root = /var/www/vhosts/DOMAIN_NAME/httpdocs
upload_tmp_dir = "/var/www/vhosts/DOMAIN_NAME/tmp"
session.save_path = "/var/www/vhosts/DOMAIN_NAME/tmp"

The script will automatically replace DOMAIN_NAME with the real value when it copies the php.ini file to the domain. if you use a different VHOSTROOT it will also update that.


Something similar to this - this specifically may not work for you, but its a good starting point.

#!/bin/bash

PHPINI="/etc/suphp-php.ini"
VHOSTROOT="/var/www/vhosts"

#if the NEW_DOMAIN_NAME (folder) in the vhost root has a conf sub directory then
# its a NEW_DOMAIN_NAME name, and not folders like chroot, default, etc.

MYSQL_PW=`cat /etc/psa/.psa.shadow`
MYSQL_RUN="mysql -N -B -uadmin -p$MYSQL_PW psa"

#Build MySQL Query for getting php and php safe mode statuses
MYSQL_QUERY="select php, php_safe_mode from hosting where dom_id=(select id from domains where name='$NEW_DOMAIN_NAME');"

#Get the query results, and format 
QUERY_RESULTS=`echo "$MYSQL_QUERY"|$MYSQL_RUN | awk '{print $1,$2}'`

#Get individual results
PHP_ENABLED=`echo $QUERY_RESULTS | awk '{print $1}'`
SAFE_MODE=`echo $QUERY_RESULTS | awk '{print $2}'`

#if PHP is enabled, then we will tell vhost.conf to include the suphp.conf file - otherwise we dont care
if [ "$PHP_ENABLED" == "true" ]; then

	# if vhost.conf exists
	if [ -f $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf ]; then
	
		# if suphp.conf exists then they had php
		if ! grep -q suphp.conf /var/www/vhosts/$NEW_DOMAIN_NAME/conf/vhost.conf ; then
			echo "Include $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf" >> $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf
		fi
		
	# if vhost.conf doesnt exist
	else
		echo "Include $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf" > $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf
	fi
fi
		
#Make the directories for the client
mkdir -p $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
mkdir -p $VHOSTROOT/$NEW_DOMAIN_NAME/etc

#copy over a php.ini file if they dont already have one
if [ ! -f $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini ]; then
	#They dont have one, lets give them one
	cp -f --reply=yes $PHPINI $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini >/dev/null 2>&1
fi

# Replace NEW_DOMAIN_NAME_NAME in the php file
#   This should be preconfigured so that you just have to replace 
#   the text above with the new NEW_DOMAIN_NAME names
perl -pi -e "s/DOMAIN_NAME/$NEW_DOMAIN_NAME/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini

#If there is an Old domain name, make sure its nto the same, and has a value other wise it will
#replace all characters in the php file, and that is no good.
if [ "$OLD_DOMAIN_NAME" != "" ]; then
	if [ "$OLD_DOMAIN_NAME" != "$NEW_DOMAIN_NAME" ]; then
		perl -pi -e "s/$OLD_DOMAIN_NAME/$NEW_DOMAIN_NAME/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
	fi
fi

#in case vhost root is not default or is changed with out updating php.ini
if [ "/var/www/vhosts" != "$VHOSTROOT" ]; then
	perl -pi -e "s@/var/www/vhosts@$VHOSTROOT@gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi

#Turn OFF allow_url_fopen
perl -pi -e "s/allow_url_fopen = On/allow_url_fopen = Off/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini

if [ "$SAFE_MODE" == "false" ]; then
	#Turn OFF safe mode
	perl -pi -e "s/safe_mode = on/safe_mode = off/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi

if [ "$SAFE_MODE" == "true" ]; then
	#Turn ON safe mode
	perl -pi -e "s/safe_mode = off/safe_mode = on/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi

#Get the user and group for suphp file
SUPHP_USER=`ls -la $VHOSTROOT/$NEW_DOMAIN_NAME/ | grep httpdocs  | awk '{print $3}'`
SUPHP_GROUP=`ls -la $VHOSTROOT/$NEW_DOMAIN_NAME/ | grep httpdocs  | awk '{print $4}'`
FILE_GROUP="psacln"

#Set permissions on them all too
chown -R $SUPHP_USER:$FILE_GROUP $VHOSTROOT/$NEW_DOMAIN_NAME/tmp 
chown -R root:root $VHOSTROOT/$NEW_DOMAIN_NAME/etc
chmod -R 770 $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
chmod -R 755 $VHOSTROOT/$NEW_DOMAIN_NAME/etc

for FOLDER in `ls $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs | grep -v plesk-stat`; 
	do chown -R $SUPHP_USER:$FILE_GROUP $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs/$FOLDER;
done

#remove any pre-existing suphp.conf
rm -Rf $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf
echo "
	<Directory $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs>
		php_admin_flag engine Off
		suPHP_Engine on
		suPHP_UserGroup $SUPHP_USER $FILE_GROUP
		#vhost php.ini
		suPHP_ConfigPath \"$VHOSTROOT/$NEW_DOMAIN_NAME/etc\"
		AddHandler x-httpd-php .php
		suPHP_AddHandler x-httpd-php
	</Directory>" > $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf

/usr/local/psa/admin/bin/websrvmng -u --vhost-name=$NEW_DOMAIN_NAME

 

[Ionut]

I think the best way is to globally set suphp and exclude the webmail. If you don't do that and you allow creations of subdomains then those will not be protected.

suphp should come with plesk. It's not that hard to integrate.

 

[lvalics]

Is not a good way to enable globally, because a lot of domains can be affected, especially if old domains used 777 or other chmod or uploaded files as apache. They will get an error later.
The best way is to disable globally and enable per domain in vhost.conf.

 

[madcat]

I _DO_ want it enabled globally

Hello. I am setting up a new server, and I want suphp enabled for each domain, without having to setup a new vhost.conf for each new domain. Any ideas?

 

[Amin Taheri]

One idea would be to read the posts about this topic that will tell you how to do what you asked - some of which are already in this thread.

 

[madcat]

If you're talking about the script above, it's nice, but it's not what I'm looking for. I would like to have the apache config needed for mod_suphp included in either the httpd.include for the domain in question, or somewhere in a global config in /etc/httpd/. I don't see that anywhere in this thread ... am I missing something? I found this thread in the first place by searching for the text 'mod_suphp'.

 

[Amin Taheri]

Thats not really possible becuase each domain will need its own custom settings, and httpd.include will get overwritten frequently so anything you add in there will get deleted.

There really is no good way to do it with out using vhost.conf (which is what that file is for) - anything that you would put into the httpd.include file for the odmain should go into vhost.conf instead.

 

[lvalics]

And to enable it globally will not allow users change their own php.ini
Actually you can enable globally as I think in /etc/httpd/conf.d/mod_suphp.conf put all the things, but could be a very wrong way.

 

[papak]

Following instruction in this thread we got su_php successfully installed on our server but we have 2 questions.

1. Is it safe on shared hosting with su_php to allow user to edit php.ini?
2. What happen if users accidentally remove php.ini in your directory?

Thanks ina advance.

Mike

 

[lvalics]

1. Yes, it is safe. They edit their own php.ini and will apply ONLY to their domain. If something edit wrong (syntax) will get errors, white screen etc)
2. If they delete will still apply /etc/php.ini

 

[papak]

Thank you. It's clear now. I have still one question. Is safemode on or off with suphp obsolete? I'm asking because in various examples is safemode on with suphp and in another off.

Best regards,
Mike

 

[papak]

In vhost.conf suphp ignore php_value and php_admin_value directives such open_basedir. It must be set in php.ini for vhost.

The example on http://www.grafxsoftware.com/faq.php/HOW-TO-Setup-a-PLESK-Dedicated-Server/1/4/:

<ifmodule mod_suphp.c=""> <directory httpdocs="" domain="" vhosts="" www="" var="">
php_admin_flag engine on
suPHP_Engine On
suPHP_ConfigPath "/var/www/vhosts/DOMAIN/httpdocs/"
AddHandler x-httpd-php .php
AddHandler php5-script .php
AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml
suPHP_AddHandler x-httpd-php
suPHP_AddHandler php5-script .php
suPHP_UserGroup ftpuser psacln
php_value open_basedir "/tmp/"
php_value upload_tmp_dir "/var/www/vhosts/DOMAIN/tmp/"
<files php.ini="">
order allow,deny
deny from all
</files>
</directory>
</ifmodule>

concerning php_value isn't correct because is ignored by suphp.

If user have access to their php.ini and change or disable open_basedir or another for security important directive it can be big security problem. I think it's not god idea to allow users editing php.ini.
Any idea how to prevent user to edit important setting and allow only harmlessly setting to edit?

Best regards,
Mike

 

[lvalics]

mod_suphp will no allow to have this problem, we use it on all servers and for now no problem