mod_suphp support [#19372]

Submitted by Mostafa on Fri, 09/02/2011 - 01:45

mod_suphp is a common php execution method as it's owner widely used by cpanel , directadmin , ...

It secure, reliable and configurable.

I've runned mod_suphp on my debian vps with following steps : 1- set the execution mode to mod_php

2- add these two lines in virtualmin apache template :

suPHP_Engine ON
suPHP_UserGroup ${USER} ${USER}

3- disable and enable web feature to apply new template for all existing virtualhosts.

4- Now just run the following commands to install mod_suphp , ( apxs2 should be installed before ) :

cd /usr/src
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar -zxf suphp-0.7.1.tar.gz
cd suphp-0.7.1
"./configure" \
"--prefix=/usr/local/suphp" \
"--sysconfdir=/usr/local/suphp/etc/" \
"--with-apache-user=www-data" \
"--with-setid-mode=paranoid" \
"--with-apxs=/usr/bin/apxs2" \
"--disable-checkpath"
 
make
make install
 
echo "LoadModule suphp_module        /usr/lib/apache2/modules/mod_suphp.so" >> /etc/apache2/mods-available/suphp.load
ln -s /etc/apache2/mods-available/suphp.load /etc/apache2/mods-enabled/suphp.load
 
echo -e '<IfModule mod_suphp.c>\n'\
'<FilesMatch "\.(inc|php|php3|php4|php5|php6|phtml|phps)$">\n'\
'AddHandler x-httpd-php5 .inc .php .php3 .php4 .php5 .phtml\n'\
'</FilesMatch>\n'\
'<Location />\n'\
'suPHP_Engine on\n'\
'suPHP_ConfigPath' `which php-cgi`'\n'\
'suPHP_AddHandler x-httpd-php5\n'\
'</Location>\n'\
'</IfModule>\n' > /etc/apache2/mods-available/suphp.conf
 
ln -s /etc/apache2/mods-available/suphp.conf /etc/apache2/mods-enabled/suphp.conf

5- Copy the following codes into /usr/local/suphp/etc/suphp.conf :

[global]
;Path to logfile
logfile=/var/log/suphp.log
 
;Loglevel
loglevel=warn
 
;User Apache is running as
webserver_user=www-data
 
;Path all scripts have to be in
docroot=/
 
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
 
; Normally suPHP only displays the PHP binary in process lists (ps aux).
; Setting this option to 'true' will cause suPHP to display both the
; PHP binary and the script filename.
;full_php_process_display=true
 
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=false
 
;Send minor error messages to browser
errors_to_browser=false
 
;PATH environment variable
env_path="/bin:/usr/bin"
 
;Umask to set, specify in octal notation
umask=0022
 
;Minimum UID
min_uid=100
 
;Minimum GID
min_gid=100
 
[handlers]
;Handler for php-scripts
x-httpd-php5="php:/usr/bin/php-cgi"
 
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

restart apache and enjoy mod_suphp.

Please add this feature for virtualmin too.

Status:

Active

Comments

Submitted by JamieCameron on Fri, 09/02/2011 - 01:57 Comment #1

Does mod_suphp offer any major benefits over the PHP modes Virtualmin already supports? If not, we are unlikely to add support for it, as there is significant development cost in supporting each mode, as they have their own wrapper scripts, PHP.ini location, required apache module and directives.

Submitted by Mostafa on Fri, 09/02/2011 - 02:02 Comment #2

I think it's more secure, for example chmod 777 is not allowed on suphp !

http://boomshadow.net/tech/php-handlers/

Submitted by JamieCameron on Fri, 09/02/2011 - 10:21 Comment #3

Based on that web page, fcgid which we already support is just as fast as suphp, and secure because it runs with domain owner permissions. Or if you care about memory use over speed, Virtualmin supports cgi mode which runs scripts as the domain owner.

So I don't see much benefit from suphp.

Submitted by Lucian on Fri, 09/02/2011 - 13:14 Comment #4

I've been moving CPanel customers from mod_suphp to fcgi due to performance issues. Fcgi + suexec = nice and fast, I love it. May not be that "secure", then again nothing really is.

-1 from me.