How To Install suPHP On Various Linux Distributions For Use With ISPConfig (2.2.20 And Above)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2008-02-14 17:22. :: CentOS | Debian | Fedora | ISPConfig | Linux | Mandriva | SuSE | Ubuntu | Apache | Control Panels | PHP

How To Install suPHP On Various Linux Distributions For Use With ISPConfig (2.2.20 And Above)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 02/05/2008

Starting with version 2.2.20, ISPConfig has improved support for suPHP. This article explains how to install suPHP on various distributions supported by ISPConfig. (If you have used suPHP with previous ISPConfig versions, your installation will still work.)

I do not issue any guarantee that this will work for you!

 

1 Debian Etch / Ubuntu 7.10

For Debian and Ubuntu, the package libapache2-mod-suphp exists, however the problem with this package is that it doesn't support the suPHP_UserGroup directive (which is used by ISPConfig) because it wasn't compiled using the --with-setid-mode=paranoid switch. Therefore we must build mod_suphp manually.

First we disable the normal PHP5 module (as root):

a2dismod php5
/etc/init.d/apache2 restart

Then we install the prerequisites needed to build mod_suphp:

apt-get install php5-cgi apache2-prefork-dev

Now we can download and build suPHP as follows:

cd /tmp
wget http://www.suphp.org/download/suphp-0.6.2.tar.gz
tar xvfz suphp-0.6.2.tar.gz
cd suphp-0.6.2
./configure --prefix=/usr --sysconfdir=/etc --with-apache-user=www-data --with-setid-mode=paranoid --with-apxs=/usr/bin/apxs2
make
make install

Finally we add the suPHP module to our Apache configuration...

vi /etc/apache2/httpd.conf

LoadModule suphp_module       /usr/lib/apache2/modules/mod_suphp.so

... and restart Apache:

/etc/init.d/apache2 restart

 

2 Fedora 8 / CentOS 5.1

On Fedora 8 and CentOS 5.1, we must build mod_suphp manually for the same reasons as for Debian and Ubuntu (suPHP_UserGroup).

First we disable the normal PHP5 module:

vi /etc/httpd/conf.d/php.conf

Comment out the LoadModule line:

[...]
#LoadModule php5_module modules/libphp5.so
[...]

Then we install the prerequisites needed to build mod_suphp:

yum install php-cli httpd-devel

Now we can download and build suPHP as follows:

cd /tmp
wget http://www.suphp.org/download/suphp-0.6.2.tar.gz
tar xvfz suphp-0.6.2.tar.gz
cd suphp-0.6.2/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=paranoid --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

Finally we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf

LoadModule suphp_module modules/mod_suphp.so

... and restart Apache:

/etc/init.d/httpd restart

 

3 Mandriva 2008.0

On Mandriva 2008.0, we must build mod_suphp manually for the same reasons as for Debian and Ubuntu (suPHP_UserGroup).

First we disable the normal PHP5 module:

vi /etc/httpd/modules.d/70_mod_php.conf

Comment out the LoadModule line:

<IfDefine HAVE_PHP5>
    <IfModule !mod_php5.c>
        #LoadModule php5_module    extramodules/mod_php5.so
    </IfModule>
</IfDefine>
[...]

Then we install the prerequisites needed to build mod_suphp:

urpmi php-cgi apache-devel

Now we can download and build suPHP as follows:

cd /tmp
wget http://www.suphp.org/download/suphp-0.6.2.tar.gz
tar xvfz suphp-0.6.2.tar.gz
cd suphp-0.6.2/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=paranoid --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

Finally we add the suPHP module to our Apache configuration...

vi /etc/httpd/modules.d/A36_mod_suphp.conf

LoadModule suphp_module    modules/mod_suphp.so

... and restart Apache:

/etc/init.d/httpd restart

 

4 OpenSUSE 10.3

OpenSUSE 10.3 comes with a suPHP package that understands the suPHP_UserGroup directive, so we don't have to build it ourselves.

First we disable the normal PHP5 module. Open /etc/sysconfig/apache2 and remove php5 from the APACHE_MODULES line (so that it looks similar to this line - your modules might differ, but php5 must not be listed anymore):

vi /etc/sysconfig/apache2

[...]
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir rewrite ruby"
[...]

Run

SuSEconfig

afterwards.

Now we install suPHP as follows:

yast -i suphp

Next we add suphp to the APACHE_MODULES line in /etc/sysconfig/apache2, e.g. like this:

vi /etc/sysconfig/apache2

[...]
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir rewrite ruby suphp"
[...]

OpenSUSE's suPHP packages comes with a suPHP configuration that enables suPHP globally. Therefore we must disable this configuration now so that we can enable or disable suPHP in ISPConfig on a per-website basis:

vi /etc/apache2/conf.d/mod_suphp.conf

In that file we comment out everything:

#<IfModule mod_suphp.c>
#    suPHP_Engine on
#
#    AddType application/x-httpd-php .php
#    AddType application/x-httpd-php .php3
#    AddType application/x-httpd-php .php4
#    AddType application/x-httpd-php .php5
#    AddHandler application/x-httpd-php .php
#
#    DirectoryIndex index.php index.php3 index.php4 index.php5
#
#    <Location />
#        suPHP_AddHandler application/x-httpd-php
#    </Location>
#</IfModule>

# in your vhost you need:
#<Virtualhost *>
#  suPHP_UserGroup someuser somegroup
#</Virtualhost>

Finally we run:

SuSEconfig
/etc/init.d/apache2 restart

 

5 Configure ISPConfig

Finally we must tell ISPConfig that it should write a suPHP configuration to the Apache vhosts instead of the usual PHP configuration. To do this, we open ISPConfig's configuration file /home/admispconfig/ispconfig/lib/config.inc.php and set $go_info["server"]["apache2_php"] to suphp:

vi /home/admispconfig/ispconfig/lib/config.inc.php

[...]
$go_info["server"]["apache2_php"] = 'suphp';
[...]

Now whenever you enable PHP for a web site in ISPConfig, ISPConfig will write a suPHP configuration to that web site's vhost configuration.

 

6 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by zetnsh (registered user) on Fri, 2010-03-26 21:38.
Note that for operation on Ubuntu 9.10 the compile of suPHP will fail due to an incompatibility with libtool, unless you use a slightly newer version of the suPHP sources. I used 0.6.3 instead of 0.6.2, which is now recommended as 0.6.2 has security issues. I haven't tried the 0.7 variant yet.
Submitted by smartt (not registered) on Tue, 2009-09-22 13:44.

for more recent versions of suphp (i currently have 0.7.2) you need to adjust things in /etc/suphp.conf. It must now look like this at the end of the config:

;Handler for php-scripts
x-httpd-php="php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

 you will notice that there are added double quotes ("") for the parameter values.

Submitted by Leszek (not registered) on Wed, 2009-09-02 00:32.
Nevermind the version used here. Install the newest possible version.
Submitted by Emiliano (not registered) on Tue, 2008-11-11 16:46.

On Centos it seems that's also needed as a dependence to install libtool (at least on Centos 5 x86_64) and the compilers of course:

yum install gcc gcc-c++ kernel-devel libtool

You need to do this before you configure the suphp package or you'll need to restart from the tar.gz file because of the configure already been made.

Submitted by omry (registered user) on Wed, 2008-09-17 19:38.

suphp 0.6.3 was released and it closes a security bug.

use it instead of the 0.6.2 mentioned in the guide.