Install suphp with apache on ubuntu

Suphp

Suphp php handler is an apache module (mod_suphp) that runs php scripts with ownership and permission of a specific user. This is seen as a security enhancement since the system can keep track of which user's php script is running (and causing problems if any). In shared hosting environments suphp is very popular since it is very easy to install and configure.

Suphp runs php as cgi. So it needs the php5-cgi package to be installed. Because of this suphp is much slower than mod_php. But Suphp adds the security of identifying the user who ran the script. So if you need to run php as cgi, then suphp is the preferred way. However there are much better and faster alternatives like fastcgi, fpm etc that have higher performance compared to cgi.

Suphp consists of two components:

1. mod_suphp - an Apache module that replaces mod_php
2. suphp - a setuid binary that replaces Apache's suexec, it runs php with the specific user privileges.

Install suphp on Ubuntu

1. First install the apache module for suphp, package libapache2-mod-suphp

$ sudo apt-get install libapache2-mod-suphp

2. Next disable mod php, which is the default php handler on ubuntu

$ sudo a2dismod php5 
Module php5 disabled.
Run '/etc/init.d/apache2 restart' to activate new configuration!

3. Now restart Apache

$ sudo /etc/init.d/apache2 restart
 * Restarting web server apache2                                                                                         apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
                                                                                                                  [ OK ]

This should install and enable suphp. The configuration file for mod php is located here

$ cat /etc/apache2/mods-enabled/suphp.load
LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so

The suphp configuration for apache is here

$ cat /etc/apache2/mods-enabled/suphp.conf 
<IfModule mod_suphp.c>
        AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
        suPHP_AddHandler application/x-httpd-suphp

    <Directory />
        suPHP_Engine on
    </Directory>

    # By default, disable suPHP for debian packaged web applications as files
    # are owned by root and cannot be executed by suPHP because of min_uid.
    <Directory /usr/share>
        suPHP_Engine off
    </Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
#       suPHP_ConfigPath /etc/php4/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
#       suPHP_RemoveHandler <mime-type>
</IfModule>






The above configuration make suphp the handler for php files.

Set the userid and groupid for each virtualhost

To make suphp run the php scripts with a specific userid/groupid we need to setup the configuration for each virtualhost in the apache configuration file.

The apache configuration file on ubuntu is located at

/etc/apache2/sites-available/default

Edit the relevant virtual host and add the suphp usergroup settings like shown below. The suPHP_UserGroup directive tells apache to use the userid/groupid for the specific virtual host.

<VirtualHost 64.131.72.23:80>
    ServerName some-site.com
    ServerAlias www.some-site.com
    DocumentRoot /home/mike/public_html
    <IfModule mod_suphp.c>
        suPHP_UserGroup mike mike
    </IfModule>
</VirtualHost>

If you do not want to edit the main apache configuration file then create a new file in the same directory

/etc/apache2/sites-available/

And add the virtualhost block in that file. Then apply the settings using the a2ensite command.

$ sudo a2ensite file_name

Configure permissions

Suphp also gives "500 Internal Server Error" if a php file is writable by group. The error log will have an entry like this

SoftException in Application.cpp:564: Directory "/var/www" is writeable by group, referer: http://localhost/index.php

To fix this, check the permissions and make sure that group or others do no have any permission on a php file expect reading.

Last Updated On : 4th June 2013

Subscribe to get updates delivered to your inbox

2 Comments + Add Comment

Leave a comment