Big issue with suPHP

Discussion in 'General' started by ddelbia, Jan 16, 2006.

  1. ddelbia

    ddelbia Member

    Hi all!

    I discovered suPHP by this forum, then I think someone here are using it...

    I discovered a big issue: suPHP ignores php_admin and php_admin_values in apache2.conf (or Vhosts_ispconfig.conf)!

    Then a cfg like this:

    Code:
    <VirtualHost 1.2.2.4:80>
    ...
    php_admin_flag safe_mode On
    php_admin_value open_basedir /var/www/web2/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web2/phptmp/
    php_admin_value session.save_path /var/www/web2/phptmp/
    ...
    </VirtualHost>
    
    ...doesn't work!

    The only way to change php settings per-virtualhost is creating a custom php.ini file in a custom directory:

    Code:
    <VirtualHost 1.2.2.4:80>
    ...
    suPHP_ConfigPath /etc/apache2/dir_with_customized_php_ini
    ...
    </VirtualHost>
    
    I think I can't run suPHP with ISPConfig :-(
    Any idea?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Either dont use SuPHP or change ISPConfig to create a custom php.ini
     
  3. ddelbia

    ddelbia Member

    I think I'll disable suPHP for now, but I'll try to do some changes... are there some docs or can you tell me where to start?

    Thank you again Till, you're becoming my best friend! :D
    Do you plan to come here in Italy for holiday? ;-)
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Have a look at the script:

    /root/ispconfig/scripts/lib/config.lib.php

    the relevant function is named:

    make_vhost($server_id) {
    ......

    Thanks, I will send you a pm if i will make hollidays in italy ;)
     
  5. ddelbia

    ddelbia Member

    Ok! This is valid for falko too ;-)

    On topic, I realized now that there are no problems with suPHP, because php_admin commands are used in virtualhosts by ISPConfig only for setting safe mode (am I right?)... and, after reading some forums out here, suPHP makes safe mode obsolete.

    Now, the only disadvantage of suPHP are the poor performances, the same of php-cgi (php is called by CLI)... but I prefer to have better security and to avoid problems caused by safe mode (uploaded files permissions, for example)

    I read something about fastcgi php ( see http://www.t17.ds.pwr.wroc.pl/~misiek/index.php/ApacheModFastcgiPHP ), but it seems quite complex to install, tune and specially mantain (it require to download and compile php source, I like too much debian apt-get and security updates!)...

    See you :)
     
  6. falko

    falko Super Moderator Howtoforge Staff

    This is good to know! :)
     
  7. djtremors

    djtremors New Member

    I know this is a late topic but I thought I'd throw in my piece.

    I've been researching on how to better secure php with ISPconfig installed and been playing around with suphp, suexec and mod_php in safe_mode=on

    I found you can relax the strict safe_mode of mod_php with file uploads by setting the safe_mode_gid=on then setting the phptmp folder with chmod g+s.

    This works where apache user (www/nobody/wwwuser/apache/etc) writes to that temp folder and the GID is kept. mod_php can still read that file so it works.

    The only thing I didn't check or confirmed is that the quota for the user is counted as the user who owns the file is still the httpd servers user and not the user of the account.

    Now someone can confirm this 100% because this was a week ago and I think that was all I did to make it work. I don't think there was any special other tweaks but you'd need to change your make_vhost($server_id) to change the permissions.
     
    Last edited: May 11, 2006
  8. MvincM

    MvincM New Member

    Hi,

    Are those options by default in ISPC?

    php_admin_flag safe_mode On
    php_admin_value open_basedir /var/www/web2/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web2/phptmp/
    php_admin_value session.save_path /var/www/web2/phptmp

    I can't see them in Vhosts_ispconfig.conf. Ddelbia are you put them youself?

    Best regards,
    MvincM
     
  9. falko

    falko Super Moderator Howtoforge Staff

    Yes.

    They are written by ISPConfig if you enable PHP Safe Mode for the web site.
     
  10. MvincM

    MvincM New Member

    Ohhh. I see.

    Thank you for info.

    But it could be useful to have

    php_admin_value open_basedir /var/www/web2/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web2/phptmp/
    php_admin_value session.save_path /var/www/web2/phptmp

    without

    php_admin_flag safe_mode On

    First of them increase security level without some "safe_mode" issues.

    It is possible?

    MvincM
     
  11. falko

    falko Super Moderator Howtoforge Staff

    Only if you change ISPConfig's source code.
     
  12. matteo

    matteo New Member

    Probleme with rights

    When i put a Dotclear Webblog or another CMS..
    If i want upload a file via Php.. the file go on the right place but not with the owner of the site.. exemple webx_user. The file owner in the server is wwwrun www (apache)..
    How can i uploader a file with php and have the right owner ?
    Thanks a lot..
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    The thraed above your post is your answer.

    Use SuPHP, SuEXEC + CGI-PHP or PHP with FastCGI.
     
  14. matteo

    matteo New Member

    ok

    Ok i try it
    Thanks
     

Share This Page