su_php mod

[tsiou]

I 've installed su_php and i had problems in opening webmail, phpmyadmin

i've set uid and gid to 0 and check_vhost_docroot=false

i want to change uid and gid to not include root (running these scripts as root is very dangerous). chown apache the above directories is very insecure too. I prefer to exclude the above directories from suphp.
How can i do it?
Adding suPHP_Engine off to

<Directory "/var/www/html">
suPHP_Engine off
Options -Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

didn't seem to work.. Any ideas?

 

[smtalk]

chown -R webapps:webapps /var/www/html

 

[tsiou]

I guess that webapps is your apache user.
If you chown to apache user and the files have rwx set then you may be in trouble.
The whole idea for su_php is that you dont have any more to set files and directories owned and writeable for apache user. By chmod it you have worst security in that folders than without su_php and owned by root.
chmod to apache user is like, without su_php, to do :
chown -R root:apache_user /var/www/html
chmod -R 775 /var/www/html
nobody would do that. you only chmod 777 or chown apache_user some tmp or attach folders into squirrel directory.

That's why i am asking how to disable su_php for these directories.

 

[smtalk]

Webapps is not my apache user, it's your user for web applications.

 

[tsiou]

sorry i was confused

I'll use it, but just to satisfy my curiosity can i disable su_php for a <directory> directive?

 

[smtalk]

Now you should have the following code in your httpd.conf file:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
   </IfModule>
</Directory>

Change "suPHP_Engine On" to "suPHP_Engine Off".

 

[tsiou]

Sorry i miss understood you because my setup isn't from DA's custombuild.
I took some time reading the custombuild script and i see that it uses suphp
engine on for every vhost. So if you want to disable it for a virtual host you
just do what you told me.
My approach was different, i enabled suphp server wide.
I see that in DA's templates is mentioned a : |*if SUPHP="1"| then insert into the vhost the engine on.
I would like to change it to DA's way, but i can't find where DA sets this SUPHP=1. Is it in directadmin.conf?
I believe that someone who uses custombuild can find with a grep where that switch is located.

Thanks in advance.

 

[tsiou]

Ok, after reading DA's changes i found it...
Thanks!

 

[zEitEr]

I've got some problems with switching suPHP OFF.
I've got suPHP_Engine OFF for my Virtual host, but script.php is still parsed by suPHP.

suPHP is enabled server wide in /etc/httpd/conf/extra/httpd-suphp.conf
If I comment out the line suPHP_Engine on it works fine untill next run of
/usr/local/directadmin/custombuild/build php or /usr/local/directadmin/custombuild/build rewrite_confs, etc...

Any suggestions?

 

[tsiou]

After reading the custombuild script i see that :
to enable/disable serverwide suphp you have/don't have the file
/etc/httpd/conf/extra/httpd-suphp.conf
which contains:
<IfModule mod_suphp.c>
<Location />
suPHP_Engine on
AddType application/x-httpd-php .php
suPHP_AddHandler application/x-httpd-php
</Location>
</IfModule>

To do it in a user/domain basis :
You can enable/disable it by setting SUPHP=1 or 0 in :
/usr/local/directadmin/data/users/username/domains/domain.com.conf

 

[zEitEr]

I suppose, suPHP does not allow to redefine or redeclare any directives.
So we cannot switch suPHP OFF in user/domain basis if we have got it ON in server wide configuration file.

suPHP 0.6.3

So following your piece of advice should I delete /etc/httpd/conf/extra/httpd-suphp.conf and remove "Include" line from /etc/httpd/conf/httpd.conf ?

But after running build script, the situation will be repeated.

Suppose, build script should be changed a bit. Or my file /etc/httpd/conf/extra/httpd-suphp.conf should be protected from rewriting.

 

[tsiou]

I suppose, suPHP does not allow to redefine or redeclare any directives.
So we cannot switch suPHP OFF in user/domain basis if we have got it ON in server wide configuration file.

Suppose, build script should be changed a bit. Or my file /etc/httpd/conf/extra/httpd-suphp.conf should be protected from rewriting.

No the SUPHP=0 is to disable suphp in a per domain basis if you have it serverwide enabled.
When DA rewrites users httpd.conf see if SUPHP=0 for a domain and comments the engine=on for that domain only (what you did by hand)
So you don't have to remove the include, except you want to disable it for all domains. Just set SUPHP=0 and run a :

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d
/etc/init.d/httpd restart

 

[zEitEr]

Tried. That don't work.
If we still got suPHP_Engine on in /etc/httpd/conf/extra/httpd-suphp.conf
With SUPHP=0 in /usr/local/directadmin/data/users/zeiter/domains/***.ru.conf I've got:

<VirtualHost ***:80>
        ServerName www.***.ru
        ServerAlias www.***.ru ***.ru
        ServerAdmin webmaster@***.ru
        DocumentRoot /home/zeiter/domains/***.ru/public_html

        UseCanonicalName OFF

        User zeiter
        Group zeiter
        CustomLog /var/log/httpd/domains/***.ru.bytes bytes
        CustomLog /var/log/httpd/domains/***.ru.log combined
        ErrorLog /var/log/httpd/domains/***.ru.error.log

        <Directory /home/zeiter/domains/***.ru/public_html>
                Options +Includes -Indexes
        </Directory>
</VirtualHost>

without suPHP directives in /usr/local/directadmin/data/users/zeiter/httpd.conf

And 500 error:

[Wed Jul 30 19:05:28 2008] [error] [client ***] (2)No such file or directory: No user or group set - set suPHP_UserGroup
[Wed Jul 30 19:06:06 2008] [error] [client ***] (2)No such file or directory: No user or group set - set suPHP_UserGroup

Does it work in your case? Which version of suPHP do you have?

 

[tsiou]

Yes you're right...
that's because suphp is compiled with paranoid mode.
I've turn it into owner mode to avoid such problems as ~username dont work.
I think that the solution is to turn it into owner mode as explained
to :
http://help.directadmin.com/item.php?id=176

and with a custom user httpd.conf :
http://help.directadmin.com/item.php?id=3
insert a :
suPHP_Engine off into the users vhost

extra info in :
http://www.directadmin.com/features.php?id=820

 

[zEitEr]

Ok, I'll check it out later.
Is is secure? Is it possible to run PHP scripts owned by root with root privileges? Is it possible to redefine suPHP directives in .htaccess such as suPHP_ConfigPath or turn on suPHP?

 

[tsiou]

to run as root you should check your suphp.conf file for
; Minimum UID
min_uid=XX

; Minimum GID
min_gid=XX

set it to 0 (root) is insecure...
it's better to chown -R as webapps your /var/www/html/* folder
and set it's uid and gid to suphp.conf

about .htaccess there are some other posts talking about it..

 

[zEitEr]

Ok, thanks.
I'm not planning to run scripts with root priveleges.