HOW-TO: custom php.ini (suPHP) and phptmp folder for every domain

prale

Verified User
Joined
Nov 21, 2008
Messages
31
I found out security in Directadmin can be better.
My solution is to use custom php.ini for every domain with openbasedir to the domainfolder.
Also I use a custom phptmp directory for every domain, so that users can't access temp files from other users or domains.
The php.ini files are write protected with chattr, so that users (even root) can't edit it with ftp or ssh.
I advice you to keep it this way, so that users can't change open_basedir and hack into directories from other users.
This is tested in Debian Etch, use at your own risk!

First of all build custombuild with suPHP:

Code:
vi /usr/local/directadmin/custombuild/options.conf
Replace:
Code:
php5_cli=yes
php5_cgi=no

With:
Code:
php5_cli=no
php5_cgi=yes

Run the custombuild script:

Code:
cd /usr/local/directadmin/custombuild
./build clean
./build all

Code:
vi /etc/httpd/conf/extra/httpd-suphp.conf

Replace:
Code:
suPHP_ConfigPath /usr/local/etc/php5/cgi/

With:

Code:
#suPHP_ConfigPath /usr/local/etc/php5/cgi/
(in other words comment it out)
Note: I found out that after each rebuild of custombuild, you have to uncomment this again.

Code:
cd /usr/local/directadmin/data/templates
cp virtual_host*.conf custom
cd custom

Once you've copied the 4 VirtualHost files (or just the ones you want) to the custom directory, you can then edit the new files you've just copied. DirectAdmin will always check for the custom file before going to the default ones. Failure to copy the virtual_host*.conf files to the custom directory before modifying them will result in a loss of all changes when DirectAdmin updates itself (the files are overwritten). Note that there are actually 8 virtual_host files, but you only need to worry about the 4 that apply to you. The files with the 2 in them are for apache 2.x. The ones without the 2 in them are for apache 1.3.

Change:
Code:
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|


to:
Code:
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
                suPHP_ConfigPath |HOME|/domains/|DOMAIN|/
|*endif|

Repeat this for al 4 VirtualHost files.
Let directadmin rewrite all http configs:
Code:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

Now we create the custom scripts:
Code:
mkdir -p /usr/local/directadmin/scripts/custom/
cd /usr/local/directadmin/scripts/custom/

Create the following files:

domain_change_post.sh:
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
USERPHPINI=/home/$username/domains/$newdomain/php.ini
mkdir -p /home/$username/domains/$newdomain/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/$newdomain\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/$newdomain\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/$newdomain\/phptmp\/\"/g" $USERPHPINI
chown -R $username:$username /home/$username/domains/$newdomain
chmod -R 755 /home/$username/domains/$newdomain
chattr +i $USERPHPINI

domain_change_pre.sh:
Code:
#!/bin/sh
chattr -i /home/$username/domains/$domain/php.ini

domain_create_post.sh
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
USERPHPINI=/home/$username/domains/$domain/php.ini
mkdir -p /home/$username/domains/$domain/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/$domain\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/$domain\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/$domain\/phptmp\/\"/g" $USERPHPINI
chown -R $username:$username /home/$username/domains/$domain
chmod -R 755 /home/$username/domains/$domain
chattr +i $USERPHPINI

domain_destroy_pre.sh
Code:
#!/bin/sh
chattr -i /home/$username/domains/$domain/php.ini

user_create_post.sh
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
for d in `cat /usr/local/directadmin/data/users/$username/domains.list`; do
 {
  USERPHPINI=/home/$username/domains/${d}/php.ini
  mkdir -p /home/$username/domains/${d}/phptmp
  cp $DEFPHPINI $USERPHPINI
  perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/${d}\//g" $USERPHPINI
  perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/${d}\/phptmp\//g" $USERPHPINI
  perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
  chattr +i $USERPHPINI
 };
 done;
 chown -R $username:$username /home/$username
 chmod -R 755 /home/$username

user_destroy_pre.sh
Code:
#!/bin/sh
for d in `cat /usr/local/directadmin/data/users/$username/domains.list`; do
 {
 chattr -i /home/$username/domains/${d}/php.ini
 };
 done;

Do chmod +x for all these files.

Now the last step is to edit your standard php.ini.
This one is used for the http://ip/~userdir so we need to customise it.

[EDIT]
Note that with suPHP you can't run php scripts from http://ip/~userdir without switching suPHP from paranoid to owner mode!
http://help.directadmin.com/item.php?id=176
I advice to stay at paranoid mode, I just don't use php scripts at http://ip/~userdir.
The reason for this is that I've read about some security problems with owner mode somewhere on the net.
[/EDIT]

(Remember that the above custom scripts require these exact settings for the replace functions to work)

Code:
vi /usr/local/etc/php5/cgi/php.ini

Code:
open_basedir = /var/www/html/:/tmp/
disable_functions = dl,exec,passthru,proc_open,proc_close,shell_exec,system
;upload_tmp_dir =
;session.save_path = "/tmp"

Now restart directadmin:
Code:
/etc/init.d/directadmin restart

Done.
I also have a script for you to regenerate al user dirs and files, this is handy if you need to update all php.ini for example.

Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
for i in `ls /usr/local/directadmin/data/users`; do
{
 for d in `cat /usr/local/directadmin/data/users/${i}/domains.list`; do
 {
  USERPHPINI=/home/${i}/domains/${d}/php.ini
  mkdir -p /home/${i}/domains/${d}/public_html/cgi-bin
  mkdir -p /home/${i}/domains/${d}/private_html
  mkdir -p /home/${i}/domains/${d}/public_ftp
  mkdir -p /home/${i}/domains/${d}/stats
  mkdir -p /home/${i}/domains/${d}/logs
  mkdir -p /home/${i}/domains/${d}/phptmp
  chattr -i $USERPHPINI
  rm -r $USERPHPINI
  cp $DEFPHPINI $USERPHPINI
  perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/${i}\/domains\/${d}\//g" $USERPHPINI
  perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/${i}\/domains\/${d}\/phptmp\//g" $USERPHPINI
  perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/${i}\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
  chattr +i $USERPHPINI
 };
 done;
 mkdir -p /home/${i}/backups
 chown -R $i:$i /home/${i}
 chmod -R 755 /home/${i}
};
done;
/etc/init.d/httpd restart
exit 0;
 
Last edited:
Hi,
i am problem server all domain
" No input file specified. " error .

debian os

PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

--UPDATE POST --
Running all site but
open_basedir = /var/www/html/:/tmp/ to ;open_basedir = /var/www/html/:/tmp/

Safe Mod enable and "No input file specified." error.
What could be the matter ?
 
Last edited:
error 500

Hi,
i need to do:
chmod -R 755 /home/${i}
as root after add user to DA
alse its write: internal server error: 500

where i need to put chmod -R 755 /home/${i} in custom script so its do it automatically ?

Regards,
Nservices.
 
Hi,
i need to do:
chmod -R 755 /home/${i}
as root after add user to DA
alse its write: internal server error: 500

where i need to put chmod -R 755 /home/${i} in custom script so its do it automatically ?

Regards,
Nservices.

It should be in user_create_post.sh

Are you sure that you followed my tutorial correctly?
Because its alsready in user_create_post.sh:

Code:
chown -R $username:$username /home/$username
 chmod -R 755 /home/$username

Maybe you need sudo for it?
 
Hi,
i am problem server all domain
" No input file specified. " error .

debian os

PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

--UPDATE POST --
Running all site but
open_basedir = /var/www/html/:/tmp/ to ;open_basedir = /var/www/html/:/tmp/

Safe Mod enable and "No input file specified." error.
What could be the matter ?

Code:
PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
You are probably still running php in CLI mode, not CGI.
 
no, other issuse

It should be in user_create_post.sh

Are you sure that you followed my tutorial correctly?
Because its alsready in user_create_post.sh:

Maybe you need sudo for it?

i followed my tutorial correctly & its was OK
the problem was incorrect permissions for php files
 
Last edited:
Yeah that's right if you have already sites running you have to chmod all these files to 755.
I forgot to mention this in my tutorial since I always do clean installs.
 
I've read something about a new way in directadmin to specify the suPHP custom php.ini
I'll let you guys know...
 
Security problem with

when i config apache_public_html=1 in directadmin.conf
its not work for new users
( chown -R $username:$username /home/$username
chmod -R 755 /home/$username make public_html readable by other users in custom script)
and if i change this to 711 the website not work (error 500)

what i can do to prevent access to public_html with custom php.ini (suPHP) and phptmp folder for every domain ?

Regards,
Nservices.
 
Hello,

.php scripts are throwing 404 error for some reason, .txt, .html is working OK.

No error on apache/suphp logfiles.
Any advise for this?

Thank you!
HKI
 
Hello,

Regarding also kadir_aga post, I just solved same issue I had with it.
This is caused because open_basedir configuration in php.ini is wrong, this happens because

Code:
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/${i}\/domains\/${d}\//g" $USERPHPINI
  perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/${i}\/domains\/${d}\/phptmp\//g" $USERPHPINI
  perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/${i}\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
Is not correctly editing php.ini file and not replacing open_basedir to /home/users/domains/domain.com

HKI
 
How install suphp?

Hi,

I did these step to activate suphp but i didn't sucessfull because i recieved "No input file specified" in the my php pages. So, i read this thread and i find you said that error happened because php version is "CLI" !

I checked php version and found out it's 5.2.17 (cli) but note please i installed cgi version according to above steps!

any way, i had to uninstall suphp by following command:

in options.conf :

I changed
php_cli=no
php_cgi=yes

to

php_cli=yes
php_cgi=no

then:

./build php n

and then i got following error on php pages:

Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0

Fatal error: Unknown: Failed opening required '/home/USER/domains/MyDomain.com/public_html/Directory/index.php' (include_path='.:/usr/local/lib/php') in Unknown on line

then i changed index.php permission from 744 to 644 then error has been changed to:

: main(Zend/Application.php) [function.main]: failed to open stream: No such file or directory in /home/USER/domains/MyDomain.com/public_html/index.php on line 26

Fatal error: main() [function.require]: Failed opening required 'Zend/Application.php' (include_path='/home/USER/domains/MyDomain.com/public_html/application/library:.:/usr/local/lib/php') in/home/USER/domains/MyDomain.com/public_html/index.php on line

How can i solve these problems? I Ask you Pleaes help me!:confused:
 
no input file specified

Code:
PHP 5.2.8 (cli) (built: Feb 4 2009 03:37:55)
You are probably still running php in CLI mode, not CGI.

Negative, I get this error and in CGI mode, cheers very much -- you bought down my server :rolleyes:


Anyone know of a simpler way to install suPHP which actually works, or how to fix the error "no input file specified"

Thanks
 
I guess you need to hire somebody who can guarantee the quality of the done work. So feel free to conact someone on these forums via PM in order to get a qualified commerce service, I am as well as others here are ready to help you with the issue.
 
Anyone know of a simpler way to install suPHP which actually works, or how to fix the error "no input file specified"

Why don't you just do it in custombuild? I have suphp working without any problems, and only installed in using custombuild:

Code:
cd /usr/local/directadmin/custombuild
./build suphp
 
I guess you need to hire somebody who can guarantee the quality of the done work. So feel free to conact someone on these forums via PM in order to get a qualified commerce service, I am as well as others here are ready to help you with the issue.

believe it or not, I was on your site a moment before reading your post. :eek:

Why don't you just do it in custombuild? I have suphp working without any problems, and only installed in using custombuild:

Code:
cd /usr/local/directadmin/custombuild
./build suphp

Thanks for your help, I ran that command, and it said suphp is installed, so is there nothing else that needs doing other than that, how do I know it's installed?

Thanks again :)
 
Back
Top