HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Installation/Configuration (
-   -   Debian suPHP security patch (

pjdevries 18th May 2008 16:54

Debian suPHP security patch
Last year I crafted a Debian package for suPHP (see topic suPHP in custom Debian package). Last month a Debian security patch was released. Unfortunately the person who manages my system forgot all about the special suPHP package and installed the default Debian package. As can be expected, that caused a few problems.

Because I'm not an experienced Debian software developer, I remember having quite some difficulties figuring out how to create a Debian package and solving all related problems. Unfortunately I didn't document the whole procedure. The quickest solution I could think of for the problematic situation, was to just take the sources of the new Debian package, apply the source modifications, recompile the module and manually replace That seems to have solved the problems for the time being and if I can find the courage and spare the time, maybe I will create a new Debian package later.

The possibility to install the default Debian suPHP package, would obviously be the preferred and less error prone solution for this situation. In fact I don't really know why we need this customized version. Is there anyone who can shed some light on the reason why we can't use the regular Debian suPHP package in combination with ISPConfig?

falko 19th May 2008 17:22

Because ISPConfig needs suPHP to be compiled with --with-setid-mode=paranoid.

This link might be interesting:

pjdevries 19th May 2008 18:06

Thanks for the reply Falko.

I figured that much, but just out of curiosity: why is "--with-setid-mode=paranoid" so essential for ISPConfig? Is that only for additional security? In other words: is the regular Debian package not secure enough? And does that extra security compensate for the extra hassle of having to manually maintain suPHP instead of being able to make use of a standard package?

till 19th May 2008 18:16

If I remember correctly, whithout this setting suPHP can not be forced to execute the php files under a specific user via a config directive in the vhost configuration.

pjdevries 19th May 2008 19:25

Thanks for the additional clarification Till.

You are right. I took a closer look at the suPHP documentation of the latest Debian suPHP package and it says:

"paranoid": Run scripts with owner UID/GID but also check if they match the UID/GID specified in the Apache configuration
However, it also says:

The default is "paranoid" mode.
So apparantly that doesn't seem to be a valid reason not to use the Debian package.

When I created my package, I used Hans' howto (see How To Set Up suPHP On A Debian Etch Based ISPConfig Server) as a guide line and not the one Falko mentions and it worked just fine. In that howto, some minor modifications are made to mod_suphp.c. I don't see those modifications in Falko's howto though, so apparently they are not very important and maybe not even necessary.

Bottom line: it's still a mystery to me why we can't use the regular Debian suPHP package. I think it's worthwhile though, to make ISPConfig work with the Debian package instead of having to manually update suPHP with each new release. And if I'm not mistaking, we can expect 0.6.3 soon :)

Hans 19th May 2008 19:54

Modifying the file mod_suphp.c is not necessary anymore from ISPConfig 2.2.20 and up.
Please have a look here for more information:
suPHP 0.6.3 has been released on 30-3-2008.

pjdevries 19th May 2008 20:55

Thanks for your contribution as well Hans.

So if I'm not mistaking, the only thing that's different about the Debian suPHP package, is the /etc/suphp.conf file. Or am I still missing something?

falko 21st May 2008 00:19


Originally Posted by pjdevries
However, it also says:

So apparantly that doesn't seem to be a valid reason not to use the Debian package.

when we used the Debian package in our tests, Apache was complaining about unknown directives so it seems the Debian package was not built with --with-setid-mode=paranoid.

pjdevries 21st May 2008 09:36

Thanks for the follow up.

Interesting that the Debian package doesn't 'respect' the default settings. But at least it explains everything.

All times are GMT +2. The time now is 22:41.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.