-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Give each php instance different credentials

In order to secure your mutualized web hosting server, you might have considered running each vhost under different accounts using suexec mechanisms, but it’s not really handy because you must have a copy of the php-cgi binary for each vhost somewhere with the appropriate rights, and then when updating php you’re pretty embarrassed.

There’s something easier to do, and it’s by using suphp. Configure it one time, and then you don’t have to care much.

I’m not saying using suphp is the best solution, because there are several ways of getting to the same result, but this one is certainly one of the quickest and cleanest.

This tutorial is based on FreeBSD.

Installing suphp

First, go to the ports directory, but don’t start making the thing yet.
In order to have suphp running under specific user/group account, you will have to modify the default provided Makefile to enable the paranoid mode. (don’t laugh, plz)

cd /usr/ports/www/suphp
vim Makefile
	WITH_SETID_MODE?=       paranoid
make install clean

Configuring suphp

Basically, the configuration file should look like that (customize uid and gid to be upper than your regular users) :

cat /usr/local/etc/suphp.conf
=>	[global]
	;Path to logfile
	logfile=/var/log/suphp.log

	;Loglevel
	loglevel=info

	;User Apache is running as
	webserver_user=www

	;Path all scripts have to be in
	docroot=/usr/local/www/*:${HOME}/public_html

	;Path to chroot() to before executing script
	;chroot=/mychroot

	; Security options
	allow_file_group_writeable=false
	allow_file_others_writeable=false
	allow_directory_group_writeable=false
	allow_directory_others_writeable=false

	;Check wheter script is within DOCUMENT_ROOT
	check_vhost_docroot=true

	;Send minor error messages to browser
	errors_to_browser=false

	;PATH environment variable
	;env_path=/bin:/usr/bin

	;Umask to set, specify in octal notation
	;umask=0077

	; Minimum UID
	min_uid=80

	; Minimum GID
	min_gid=80


	[handlers]
	;Handler for php-scripts
	application/x-httpd-php="php:/usr/local/bin/php-cgi"

	;Handler for CGI-scripts
	x-suphp-cgi="execute:!self"

Adding a user

If you’re reading this howto, you allready should know how to add a user. But here it is:

adduser
=>	Username: rtfmwww
	Full name: rtfm.asia suphp user
	Uid (Leave empty for default): 5000
	Login group [rtfmwww]:
	Login group is rtfmwww. Invite rtfmwww into other groups? []:
	Login class [default]:
	Shell (sh csh tcsh bash rbash nologin) [sh]: nologin
	Home directory [/home/rtfmwww]: /nonexistent
	Home directory permissions (Leave empty for default):
	Use password-based authentication? [yes]: no
	Lock out the account after creation? [no]:
	Username   : rtfmwww
	Password   : <disabled>
	Full Name  : rtfm.asia suphp user
	Uid        : 5000
	Class      :
	Groups     : rtfmwww
	Home       : /nonexistent
	Home Mode  :
	Shell      : /usr/sbin/nologin
	Locked     : no
	OK? (yes/no): yes
	adduser: INFO: Successfully added (rtfmwww) to the user database.

Adding a user

Lets make some directories and affect rights :

  • htdocs : where the served files should be
  • logs : where the access and error logs will be stored
  • conf : where the vhost related php.ini file should be stored (if not present, default php.ini file will be loaded)
  • sessions : where vhost sessions will be stored
mkdir -p /usr/local/www/rtfm/{htdocs,logs,conf,sessions}
chown -R rtfmwww:rtfmwww /usr/local/www/rtfm

If you plan to use suphp, don’t forget to desactivate the default php5 interpretor and add the suphp module to your httpd.conf file.

	# comment out this line
	#LoadModule php5_module        libexec/apache22/libphp5.so
	# add this one
	LoadModule suphp_module       libexec/apache22/mod_suphp.so

Copy the original /usr/local/etc/php/php.ini file (with correct rights) in /usr/local/www/rtfm/conf/php.ini for the vhost and customize values to suit vhost needs.

You will have to customize session.save_path in the previously created file in order to have sessions working properly.

session.save_path = "/usr/local/www/rtfm/sessions"

Now have the apache vhost definition

<VirtualHost *:80>
        ServerName test.rtfm.asia
        DocumentRoot /usr/local/www/rtfm/htdocs
        ErrorLog /usr/local/www/rtfm/logs/error.log
        CustomLog /usr/local/www/rtfm/logs/error.log combined
        <Directory "/usr/local/www/rtfm/htdocs">
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        suPHP_Engine On
        AddType application/x-httpd-php .php
        suPHP_AddHandler application/x-httpd-php
        suPHP_ConfigPath /usr/local/www/rtfm/conf
        suPHP_UserGroup rtfmwww rtfmwww
</VirtualHost>

Configtest and restart apache (yeah restart, mandatory because of major php interpretor change). You’re done.

How to handle vhosts ?

What you’ll have to do to add new vhost is :

  1. create user
  2. create directories
  3. (optional) create custom php.ini
  4. create vhost definition

That’s all. Didn’t I told you it’s clean ? ;)

Article originally posted on my old website at this url

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIbBAEBCAAGBQJW5eRHAAoJEBeKS2x6xuR7TKIP+KoaWEYwIf3EXH/N7h4F+fwx
u4f52fb8CG8gbDIE4mcRDgkRI3nyjUbKYWnPAhWdwPl01z/x9OphDvAK9Lm7rgWU
Z/VBogDlX16teaCUVu39qPmFscy3opFyq3QY0f6M4v+lrzFZkwQkzUrNYykKAM0Z
FDJFQzJK4nZUkBhh1oyy1hpicXuXbCSS2MRGIv7TQa367XGSQYzB9cxRUUVdg694
+sRFWDEqbAmLi1G3oWF1GPT90KzfYZeVusvtqdrTGXtnxQlRvjNMTSV4wgoZM1rX
DxIf1HoiKsA2iNJ59kNQSF64+r0UkfiXTtK/lNccyWnGuRW3zMI306H4W/09W5C8
dnoNbVvc1XL9zf4Lh6NX/TWtn0MeFMFRB1fOVdUecGNn27KRnSdlbfID/fuHyNJp
s1Apu1dhxk62JNwcftmBh8qybyQbRKJbrgCf5cqUEhNinmapAZzNBx2EaQ4i1a2H
tBKVUhTa/Q3h2093jxRrGzcTnx+Qcov0Wkf4dRrHloTO01xt8HpheNR6fYZ2RR5W
rYGfghOSsW77wzO4AAc/GShr6G9wYq0kiJnXRP+OuJYmwt9rDvHn0dXm82OMTmSl
R69Y6YRVuzmQn28mAGphcsvEwNCP09Jh/rkshMM8CFSOgop8/Qyub1V9A0amDzND
5otyHfrplrqiqHk05n8=
=hIpr
-----END PGP SIGNATURE-----

Hint: To validate signature, please view page source and copy html code between BEGIN PGP Signed message and END PGP Signature anchors.

Created the 2009-12-22

Share this


Article content

Resources

10 last blog posts

Related to this article

blog comments powered by Disqus