upgrade to suphp 0.6.3

suPHP 0.6.3 SECURITY ISSUE: Immediate update advised

Dear Falko,

I've setup suphp according your howto: http://www.howtoforge.com/install-s...tions-for-use-with-ispconfig-2.2.20-and-above, which is based on suphp 0.6.2. On 30-3-2008 suphp version 0.6.3 has been released and it is recomended to upgrade to this version as you can see here: http://www.suphp.org/Home.html

Now my question:
What are the recomended steps to perform an upgrade to this new suphp version?

I guess the following steps, but i want to be sure (because of ISPConfig and it's suPHP wrapper):

cd /tmp
wget http://www.suphp.org/download/suphp-0.6.3.tar.gz
tar xvfz suphp-0.6.3.tar.gz
cd suphp-0.6.3
./configure --prefix=/usr --sysconfdir=/etc --with-apache-user=www-data --with-setid-mode=paranoid --with-apxs=/usr/bin/apxs2
make
make install

Kind regards,

Hans

 

That should work - same steps as in the tutorial, but with a different version number.

 

Thanks Falko for your reply.
(I needed that confirmation)

I updated suphp on my both servers. Everything seems to work indeed.

 

Hm i have some issue in mandriva...again...
compiled ok httpd restarted with no errors, but my testing web gets 500 error in part where is some file function called..
This is in suPHP log.

Code:

[Tue Apr 22 00:20:35 2008] [warn] Directory /var/www is not owned by web1_webmas
ter
[Tue Apr 22 00:21:50 2008] [warn] Directory /var/www is not owned by web1_webmas
ter

my website is in /var/www/web1
with 0.6.2 that works ok.


my suPHP.conf

Code:

allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper

;Handler for CGI-scripts
x-suphp-cgi=execute:!self

 

Can you post the vhost configuration of the /var/www/web1 web site?

 

ok here is my web1 vhost file

Code:

<VirtualHost 192.168.1.123:80>
RewriteEngine on
RewriteCond %{HTTP_HOST}   ^stats.dch.cz [NC]
RewriteRule   ^/(.*)$ /stats/$1  [L]
RewriteCond %{HTTP_HOST}   ^meteo.dch.cz [NC]
RewriteRule   ^/(.*)$ /meteo/$1  [L]
SuexecUserGroup web1_webmaster web1
ServerName www.dch.cz:80
ServerAdmin [email protected]
DocumentRoot /var/www/web1/web
ServerAlias mail.dch.cz admin.dch.cz mysql.dch.cz webmin.dch.cz stats.dch.cz use
r.dch.cz dch.cz meteo.dch.cz okna.dch.cz www.okna.dch.cz mailuser.dch.cz webcam.
dch.cz nod.dch.cz
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 i
ndex.shtml index.cgi index.pl index.jsp Default.htm default.htm
Alias  /cgi-bin/ /var/www/web1/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web1/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Directory /var/www/web1/web>
  suPHP_Engine on
  suPHP_UserGroup web1_webmaster web1
  AddHandler x-httpd-php .php .php3 .php4 .php5
  suPHP_AddHandler x-httpd-php
  SetEnv php_safe_mode Off
</Directory>
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType application/vnd.wap.wmlscriptc .wmlsc .wsc
AddType text/vnd.wap.wml .wml
AddType text/vnd.wap.wmlscript .ws .wmlscript
AddType image/vnd.wap.wbmp .wbmp
Alias /error/ "/var/www/web1/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web1/user/$1/web/$3
RewriteEngine on
RewriteCond %{HTTP_HOST}   ^mail\.dch\.cz [NC]
RewriteRule ^/(.*)         http://dch.cz:81/roundcubemail/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^admin\.dch\.cz [NC]
RewriteRule ^/(.*)         http://dch.cz:81/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^mysql\.dch\.cz [NC]
RewriteRule ^/(.*)         http://dch.cz:81/phpmyadmin/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^webmin\.dch\.cz [NC]
RewriteRule ^/(.*)         https://dch.cz:10000/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^user\.dch\.cz [NC]
RewriteRule ^/(.*)         https://dch.cz:20000/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^dch\.cz [NC]
RewriteRule ^/(.*)         http://www.dch.cz/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^mailuser\.dch\.cz [NC]
RewriteRule ^/(.*)         http://dch.cz:81/mailuser/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^webcam\.dch\.cz [NC]
RewriteRule ^/(.*)         http://dch.cz:83/$1 [L,R]
RewriteCond %{HTTP_HOST}   ^nod\.dch\.cz [NC]
RewriteRule ^/(.*)         https://dch.cz:82/$1 [L,R]
</VirtualHost>

 

Looks ok.
Can you post the output of

Code:

ls -la /var

as well?

 

here is, currently i have suphp 0.6.2 active

drwxr-xr-x 21 root root 1024 bře 4 15:16 ./
drwxr-xr-x 21 root root 1024 dub 23 14:03 ../
drwxr-xr-x 2 root root 1024 bře 4 15:16 backup/
drwxr-xr-x 15 root root 1024 úno 27 16:06 cache/
drwxr-xr-x 2 root root 1024 pro 6 2006 db/
drwxr-xr-x 2 root root 1024 bře 27 12:01 empty/
drwxr-xr-x 3 root root 1024 zář 6 2007 ftp/
drwxr-xr-x 2 root root 1024 dub 5 2007 iptraf/
drwxr-xr-x 38 root root 1024 dub 23 14:17 lib/
drwxr-xr-x 2 root root 1024 pro 6 2006 local/
drwxrwxr-x 3 root root 1024 dub 23 11:07 lock/
drwxr-xr-x 22 root root 3072 dub 21 23:59 log/
lrwxrwxrwx 1 root root 10 kvě 19 2007 mail -> spool/mail/
drwxr-xr-x 2 root root 1024 pro 6 2006 nis/
drwxr-xr-x 2 root root 1024 pro 6 2006 opt/
drwxr-xr-x 2 root root 1024 pro 6 2006 preserve/
drwxr-xr-x 23 root root 2048 dub 23 14:06 run/
drwxr-xr-x 11 root root 1024 říj 29 20:10 spool/
drwxr-xr-x 3 root root 1024 lis 18 2006 state/
drwxrwxrwt 2 root root 1024 dub 23 11:20 tmp/
drwxr-xr-x 2 root root 1024 úno 22 2007 webmin/
drwxr-xr-x 16 apache apache 1024 dub 4 05:00 www/

 

i've installed suphp 0.6.2 on ispconfig 2.2.18 based on this howto: http://www.howtoforge.com/suphp_debian_etch_ispconfig
i've updated ispconfig to 2.2.22 and still to work properly.

but, all the webs get 500 error after updated suphp to 0.6.3 based on this howto: http://www.howtoforge.com/install-s...tions-for-use-with-ispconfig-2.2.20-and-above

debian etch amd64, apache 2.2.3, php 5.2.0-8

 

Can you try and change

Code:

allow_directory_others_writeable=false

to

Code:

allow_directory_others_writeable=true 

in /etc/suphp.conf?