Installing suPHP on Ubuntu 10.04

We recently moved our servers to Rackspace cloud to give us the flexibility on growth and redundancy we were looking for. As part of this I had to rebuild our 5 year old web server from scratch. So let’s go over today implementing suPHP for security.

Let’s get started and ssh into the server:

First let’s install suPHP


# sudo apt-get install libapache2-mod-suphp

After the suphp install mod_php5 using the following;

# sudo a2dismod php5

# sudo nano /etc/apache2/apache2.conf

and adding the following at the end of the file;

SuPHPsuPHP_Engine on
suPHP_AddHandler application/x-httpd-php .php

Restart Apache

# sudo service apache2 restart

re-enable php5

# sudo a2enmod php5

Let’s set correct permissions on everything in /var/www

# cd /var/www

SuPHP won’t allow chmod of 777 so we need to set all files to 644 and directories to 755

# sudo find . -type f -exec chmod 644 {} \;

# sudo find . -type d -exec chmod 755 {} \;

suPHP is now set to allow our webuser (if you don’t have a specific user for your site you can sudo adduser)

# sudo chown -R user:user /var/www/

suPHP had some issues with error 500 here at this point when we when to load a page so we need to make a config change:

# sudo nano /etc/suphp/suphp.conf

Add to the end of file:;

Handler for CGI-scriptsx-suphp-cgi="execute:!self"x-httpd-suphp="php:/usr/bin/php-cgi"

If you still get the same error check to see if suPHP is configured to have a minimum UID of 100. You need to edit the config file to the UID of the user and user group you are using.

# sudo nano/etc/suphp/suphp.conf

Change:
; Minimum UIDmin_uid=100
; Minimum GIDmin_gid=100
to:
; Minimum UIDmin_uid=33
; Minimum GIDmin_gid=33

Ok so suPHP is now running but we are having some other issues with PHP, with the increase overhead of suphp running our scripts are running out of memory. Cool let’s edit php.ini real quick, we need to edit the one now using cgi, not the mod_php one:

# sudo nano /etc/php5/cgi/php.ini

(if you don’t know where your php.ini file is you can use the phpinfo() PHP function to find it.)

Edit the memory_limit parameter in the php.ini file (usually in a section called Resource Limits)memory_limit = 64M f there is no section already for this, place the above line at the end of the file.

Restart apache

# sudo service apache2 restart

That’s it, now start enjoying the increase security of suPHP and being able to forget about all the issues with mod_php.

Article by Bizanator

I'm a security researcher, pentester and general IT guru professionally since 2003. While IT and security has been a habit of mine, literally learning my ABCs on an Apple IIe I have worked on virtually every operating system in the past 25 years. Learning about memory manipulation starting in the early Blizzard days I found an affinity in security and exploit development. My career has allowed me to work in a variety of industries and have been a strong supporter of open source and virtualization. My goal here is to provide a forum of information where when you're brain dead hopefully myself or one of our members can work together in the spirit of open source and resolving those brain dead moments. You can request a consultation with me on Maven.

Leave a Reply

Your email address will not be published. Required fields are marked *