[Help/Discuss] suPHP - PHP Security

EverythingWeb · December 17, 2005, 11:00am

Hello,

Okay this has been a three day ordeal for me now :rolleyes:

How it started: I am writing a set of utilities which require emails to be sent out signed by GnuPG. So this led me to using php (my programming language) however as php is run as the apache user, it can’t access the USERNAME gnupg folder, because of permissions.

For this to work then, we want to run php as the username of he site. This has now opened a 20hour long searching can of worms for me. Finally I found suPHP. Chris (Interworx) had suggested, and I quote:

easiest “fix” would probably be to write a PHP CGI script to run under suexec in Apache as the website user. If you have CGI enabled just make a PHP CGI script and make sure the ownership is USERNAME and it’s chmod’d 755

Now that would be the most simplest of things to do - however I become stuck at this point, so if anyone has any ideas on that particular idea, please stop me now and let me know, as I would very much appreciate it.

After much much Googling, I found suPHP and set-to installing it, however am running into all sorts of problems. This would put a level of security in etc etc etc, however that would only happen if I could get it working. :rolleyes:

So in summary, if anyone has successfuly installed, configured and is using suPHP, please would you post up here and discuss how you did it and what the drawbacks & positives it has meant, or if someone knows how to accomplish Chris’s comments, I would appreciate it.

I am hoping that this can actually be a discussion on the suPHP module and security of PHP scripts, and what people currently do, and what anyones plans are.

Look forward to hearing your comments, suggestions, discussion.

Kindest Regards,
William

IWorx-Chris · December 18, 2005, 6:30pm

You actually don’t need suPHP at all William, just suEXEC, which is built into Apache.

Just do this:

Make sure CGI access is ON for the account in question
Create a PHP script using #!/usr/bin/php at the top and make sure it’s chmod’d 755 (700 will work as well)
Stick it in the cgi-bin dir although any dir shoudl work
Access the file from a browser as normal (it should be runing as the user that owns the account and not the apache user).

That’s it!

Chris

EverythingWeb · December 19, 2005, 6:33am

Hello Chris,

Thanks for the info and the pointers. I have done what you said, and get the really helpful 500 Internal Server Error, with the following in the logs:

1: [Mon Dec 19 14:30:07 2005] [error] [client xxx.xxx.xxx.xx] Premature end of script headers: test.php
2: [Mon Dec 19 14:30:07 2005] [error] [client xxx.xxx.xxx.xx] fopen: Permission denied
3: [Mon Dec 19 14:30:07 2005] [error] [client xxx.xxx.xxx.xx] failed to open log file

This was with the script placed in the cgi-bin.

Cheers,
William

EverythingWeb · December 19, 2005, 2:01pm

Hello Chris,

Getting slightly closer now, after some fudging around, however still not quite there. Now getting the following:

Security Alert! The PHP CGI cannot be accessed directly. This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive.
For more information as to why this behaviour exists, see the manual page for CGI security.
For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit the manual page.

Look forward to a solution to this rather frustrating error.

Cheers.

EverythingWeb · December 19, 2005, 3:03pm

Okay,

I have decided after much reading that I need to recompile php without the --force-cgi-redirect flag.

Could someone from Interworx please confirm the command to do this without affecting too drastically the current php config.

Many Thanks.

IWorx-Chris · December 19, 2005, 3:57pm

William, you shouldn’t have to recompile PHP. Just make sure the file you’re testing on has a file extension that is recognized as a CGI script (i.e. asd.cgi) and NOT a .php extension. I just tried the default php+apache that ships with iworx and this worked fine running as the user that owns the file/account.

Chris

EverythingWeb · February 4, 2006, 5:27am

Hello Chris/Interworx Team,

A couple of things still relating to this issue, one is, I am re-visiting this issue, which still remains unresolved this end, unfortunately

I have tried logging in and submitting a support ticket, and it is showing an authentication error, EVEN after having requested a new password :S

Hope someone can look into this issue, so I can take the issue off the board.

Cheers.

IWorx-Socheat · February 4, 2006, 6:06am

EverythingWeb,

I reset your helpdesk password, and I just sent you a private message with that information. Let us know if you’re still having problems logging in.

Socheat

Justec · February 4, 2006, 11:19am

I remember back when I was trying to figure out something similar allowing every apache Vhost to run as its own user. There was a mod out there that would do this, but it died out and I haven’t found anyone working on it or a new one. I’m still holding hope b/c that would be a very cool addition to apache in a shared hosting environment.

Here is the other thread in which I found that mod:
http://interworx.com/forums/showthread.php?t=292

And another:
http://interworx.info/forums/showthread.php?t=262