HOW-TO: custom php.ini (suPHP) and phptmp folder for every domain

prale

Verified User
Joined
Nov 21, 2008
Messages
31
I found out security in Directadmin can be better.
My solution is to use custom php.ini for every domain with openbasedir to the domainfolder.
Also I use a custom phptmp directory for every domain, so that users can't access temp files from other users or domains.
The php.ini files are write protected with chattr, so that users (even root) can't edit it with ftp or ssh.
I advice you to keep it this way, so that users can't change open_basedir and hack into directories from other users.
This is tested in Debian Etch, use at your own risk!

First of all build custombuild with suPHP:

Code:
vi /usr/local/directadmin/custombuild/options.conf
Replace:
Code:
php5_cli=yes
php5_cgi=no
With:
Code:
php5_cli=no
php5_cgi=yes
Run the custombuild script:

Code:
cd /usr/local/directadmin/custombuild
./build clean
./build all
Code:
vi /etc/httpd/conf/extra/httpd-suphp.conf
Replace:
Code:
suPHP_ConfigPath /usr/local/etc/php5/cgi/
With:

Code:
#suPHP_ConfigPath /usr/local/etc/php5/cgi/
(in other words comment it out)
Note: I found out that after each rebuild of custombuild, you have to uncomment this again.

Code:
cd /usr/local/directadmin/data/templates
cp virtual_host*.conf custom
cd custom
Once you've copied the 4 VirtualHost files (or just the ones you want) to the custom directory, you can then edit the new files you've just copied. DirectAdmin will always check for the custom file before going to the default ones. Failure to copy the virtual_host*.conf files to the custom directory before modifying them will result in a loss of all changes when DirectAdmin updates itself (the files are overwritten). Note that there are actually 8 virtual_host files, but you only need to worry about the 4 that apply to you. The files with the 2 in them are for apache 2.x. The ones without the 2 in them are for apache 1.3.

Change:
Code:
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|

to:
Code:
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
                suPHP_ConfigPath |HOME|/domains/|DOMAIN|/
|*endif|
Repeat this for al 4 VirtualHost files.
Let directadmin rewrite all http configs:
Code:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
Now we create the custom scripts:
Code:
mkdir -p /usr/local/directadmin/scripts/custom/
cd /usr/local/directadmin/scripts/custom/
Create the following files:

domain_change_post.sh:
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
USERPHPINI=/home/$username/domains/$newdomain/php.ini
mkdir -p /home/$username/domains/$newdomain/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/$newdomain\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/$newdomain\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/$newdomain\/phptmp\/\"/g" $USERPHPINI
chown -R $username:$username /home/$username/domains/$newdomain
chmod -R 755 /home/$username/domains/$newdomain
chattr +i $USERPHPINI
domain_change_pre.sh:
Code:
#!/bin/sh
chattr -i /home/$username/domains/$domain/php.ini
domain_create_post.sh
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
USERPHPINI=/home/$username/domains/$domain/php.ini
mkdir -p /home/$username/domains/$domain/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/$domain\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/$domain\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/$domain\/phptmp\/\"/g" $USERPHPINI
chown -R $username:$username /home/$username/domains/$domain
chmod -R 755 /home/$username/domains/$domain
chattr +i $USERPHPINI
domain_destroy_pre.sh
Code:
#!/bin/sh
chattr -i /home/$username/domains/$domain/php.ini
user_create_post.sh
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
for d in `cat /usr/local/directadmin/data/users/$username/domains.list`; do
 {
  USERPHPINI=/home/$username/domains/${d}/php.ini
  mkdir -p /home/$username/domains/${d}/phptmp
  cp $DEFPHPINI $USERPHPINI
  perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/${d}\//g" $USERPHPINI
  perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/${d}\/phptmp\//g" $USERPHPINI
  perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
  chattr +i $USERPHPINI
 };
 done;
 chown -R $username:$username /home/$username
 chmod -R 755 /home/$username
user_destroy_pre.sh
Code:
#!/bin/sh
for d in `cat /usr/local/directadmin/data/users/$username/domains.list`; do
 {
 chattr -i /home/$username/domains/${d}/php.ini
 };
 done;
Do chmod +x for all these files.

Now the last step is to edit your standard php.ini.
This one is used for the http://ip/~userdir so we need to customise it.

[EDIT]
Note that with suPHP you can't run php scripts from http://ip/~userdir without switching suPHP from paranoid to owner mode!
http://help.directadmin.com/item.php?id=176
I advice to stay at paranoid mode, I just don't use php scripts at http://ip/~userdir.
The reason for this is that I've read about some security problems with owner mode somewhere on the net.
[/EDIT]

(Remember that the above custom scripts require these exact settings for the replace functions to work)

Code:
vi /usr/local/etc/php5/cgi/php.ini
Code:
open_basedir = /var/www/html/:/tmp/
disable_functions = dl,exec,passthru,proc_open,proc_close,shell_exec,system
;upload_tmp_dir =
;session.save_path = "/tmp"
Now restart directadmin:
Code:
/etc/init.d/directadmin restart
Done.
I also have a script for you to regenerate al user dirs and files, this is handy if you need to update all php.ini for example.

Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
for i in `ls /usr/local/directadmin/data/users`; do
{
 for d in `cat /usr/local/directadmin/data/users/${i}/domains.list`; do
 {
  USERPHPINI=/home/${i}/domains/${d}/php.ini
  mkdir -p /home/${i}/domains/${d}/public_html/cgi-bin
  mkdir -p /home/${i}/domains/${d}/private_html
  mkdir -p /home/${i}/domains/${d}/public_ftp
  mkdir -p /home/${i}/domains/${d}/stats
  mkdir -p /home/${i}/domains/${d}/logs
  mkdir -p /home/${i}/domains/${d}/phptmp
  chattr -i $USERPHPINI
  rm -r $USERPHPINI
  cp $DEFPHPINI $USERPHPINI
  perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/${i}\/domains\/${d}\//g" $USERPHPINI
  perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/${i}\/domains\/${d}\/phptmp\//g" $USERPHPINI
  perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/${i}\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
  chattr +i $USERPHPINI
 };
 done;
 mkdir -p /home/${i}/backups
 chown -R $i:$i /home/${i}
 chmod -R 755 /home/${i}
};
done;
/etc/init.d/httpd restart
exit 0;
 
Last edited:

kadir_aga

New member
Joined
Feb 3, 2009
Messages
1
Hi,
i am problem server all domain
" No input file specified. " error .

debian os

PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

--UPDATE POST --
Running all site but
open_basedir = /var/www/html/:/tmp/ to ;open_basedir = /var/www/html/:/tmp/

Safe Mod enable and "No input file specified." error.
What could be the matter ?
 
Last edited:

nservices

Verified User
Joined
Dec 11, 2008
Messages
293
error 500

Hi,
i need to do:
chmod -R 755 /home/${i}
as root after add user to DA
alse its write: internal server error: 500

where i need to put chmod -R 755 /home/${i} in custom script so its do it automatically ?

Regards,
Nservices.
 

prale

Verified User
Joined
Nov 21, 2008
Messages
31
Hi,
i need to do:
chmod -R 755 /home/${i}
as root after add user to DA
alse its write: internal server error: 500

where i need to put chmod -R 755 /home/${i} in custom script so its do it automatically ?

Regards,
Nservices.
It should be in user_create_post.sh

Are you sure that you followed my tutorial correctly?
Because its alsready in user_create_post.sh:

Code:
chown -R $username:$username /home/$username
 chmod -R 755 /home/$username
Maybe you need sudo for it?
 

prale

Verified User
Joined
Nov 21, 2008
Messages
31
Hi,
i am problem server all domain
" No input file specified. " error .

debian os

PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

--UPDATE POST --
Running all site but
open_basedir = /var/www/html/:/tmp/ to ;open_basedir = /var/www/html/:/tmp/

Safe Mod enable and "No input file specified." error.
What could be the matter ?
Code:
PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
You are probably still running php in CLI mode, not CGI.
 

nservices

Verified User
Joined
Dec 11, 2008
Messages
293
no, other issuse

It should be in user_create_post.sh

Are you sure that you followed my tutorial correctly?
Because its alsready in user_create_post.sh:

Maybe you need sudo for it?
i followed my tutorial correctly & its was OK
the problem was incorrect permissions for php files
 
Last edited:

prale

Verified User
Joined
Nov 21, 2008
Messages
31
Yeah that's right if you have already sites running you have to chmod all these files to 755.
I forgot to mention this in my tutorial since I always do clean installs.
 

prale

Verified User
Joined
Nov 21, 2008
Messages
31
I've read something about a new way in directadmin to specify the suPHP custom php.ini
I'll let you guys know...
 

nservices

Verified User
Joined
Dec 11, 2008
Messages
293
Security problem with

when i config apache_public_html=1 in directadmin.conf
its not work for new users
( chown -R $username:$username /home/$username
chmod -R 755 /home/$username make public_html readable by other users in custom script)
and if i change this to 711 the website not work (error 500)

what i can do to prevent access to public_html with custom php.ini (suPHP) and phptmp folder for every domain ?

Regards,
Nservices.
 

HKI

Verified User
Joined
May 31, 2009
Messages
25
Hello,

.php scripts are throwing 404 error for some reason, .txt, .html is working OK.

No error on apache/suphp logfiles.
Any advise for this?

Thank you!
HKI
 

HKI

Verified User
Joined
May 31, 2009
Messages
25
Hello,

Regarding also kadir_aga post, I just solved same issue I had with it.
This is caused because open_basedir configuration in php.ini is wrong, this happens because

Code:
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/${i}\/domains\/${d}\//g" $USERPHPINI
  perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/${i}\/domains\/${d}\/phptmp\//g" $USERPHPINI
  perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/${i}\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
Is not correctly editing php.ini file and not replacing open_basedir to /home/users/domains/domain.com

HKI
 

dani67

New member
Joined
Sep 6, 2011
Messages
1
How install suphp?

Hi,

I did these step to activate suphp but i didn't sucessfull because i recieved "No input file specified" in the my php pages. So, i read this thread and i find you said that error happened because php version is "CLI" !

I checked php version and found out it's 5.2.17 (cli) but note please i installed cgi version according to above steps!

any way, i had to uninstall suphp by following command:

in options.conf :

I changed
php_cli=no
php_cgi=yes

to

php_cli=yes
php_cgi=no

then:

./build php n

and then i got following error on php pages:

Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0

Fatal error: Unknown: Failed opening required '/home/USER/domains/MyDomain.com/public_html/Directory/index.php' (include_path='.:/usr/local/lib/php') in Unknown on line

then i changed index.php permission from 744 to 644 then error has been changed to:

: main(Zend/Application.php) [function.main]: failed to open stream: No such file or directory in /home/USER/domains/MyDomain.com/public_html/index.php on line 26

Fatal error: main() [function.require]: Failed opening required 'Zend/Application.php' (include_path='/home/USER/domains/MyDomain.com/public_html/application/library:.:/usr/local/lib/php') in/home/USER/domains/MyDomain.com/public_html/index.php on line

How can i solve these problems? I Ask you Pleaes help me!:confused:
 

Daz29

Verified User
Joined
Jun 23, 2012
Messages
8
no input file specified

Code:
PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
You are probably still running php in CLI mode, not CGI.
Negative, I get this error and in CGI mode, cheers very much -- you bought down my server :rolleyes:


Anyone know of a simpler way to install suPHP which actually works, or how to fix the error "no input file specified"

Thanks
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,934
Location
GMT +7.00
I guess you need to hire somebody who can guarantee the quality of the done work. So feel free to conact someone on these forums via PM in order to get a qualified commerce service, I am as well as others here are ready to help you with the issue.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,513
Anyone know of a simpler way to install suPHP which actually works, or how to fix the error "no input file specified"
Why don't you just do it in custombuild? I have suphp working without any problems, and only installed in using custombuild:

Code:
cd /usr/local/directadmin/custombuild
./build suphp
 

Daz29

Verified User
Joined
Jun 23, 2012
Messages
8
I guess you need to hire somebody who can guarantee the quality of the done work. So feel free to conact someone on these forums via PM in order to get a qualified commerce service, I am as well as others here are ready to help you with the issue.
believe it or not, I was on your site a moment before reading your post. :eek:

Why don't you just do it in custombuild? I have suphp working without any problems, and only installed in using custombuild:

Code:
cd /usr/local/directadmin/custombuild
./build suphp
Thanks for your help, I ran that command, and it said suphp is installed, so is there nothing else that needs doing other than that, how do I know it's installed?

Thanks again :)
 
Top