Debian suPHP security patch

Discussion in 'Installation/Configuration' started by pjdevries, May 18, 2008.

  1. pjdevries

    pjdevries Member

    Last year I crafted a Debian package for suPHP (see topic suPHP in custom Debian package). Last month a Debian security patch was released. Unfortunately the person who manages my system forgot all about the special suPHP package and installed the default Debian package. As can be expected, that caused a few problems.

    Because I'm not an experienced Debian software developer, I remember having quite some difficulties figuring out how to create a Debian package and solving all related problems. Unfortunately I didn't document the whole procedure. The quickest solution I could think of for the problematic situation, was to just take the sources of the new Debian package, apply the source modifications, recompile the module and manually replace That seems to have solved the problems for the time being and if I can find the courage and spare the time, maybe I will create a new Debian package later.

    The possibility to install the default Debian suPHP package, would obviously be the preferred and less error prone solution for this situation. In fact I don't really know why we need this customized version. Is there anyone who can shed some light on the reason why we can't use the regular Debian suPHP package in combination with ISPConfig?
  2. falko

    falko Super Moderator ISPConfig Developer

  3. pjdevries

    pjdevries Member

    Thanks for the reply Falko.

    I figured that much, but just out of curiosity: why is "--with-setid-mode=paranoid" so essential for ISPConfig? Is that only for additional security? In other words: is the regular Debian package not secure enough? And does that extra security compensate for the extra hassle of having to manually maintain suPHP instead of being able to make use of a standard package?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If I remember correctly, whithout this setting suPHP can not be forced to execute the php files under a specific user via a config directive in the vhost configuration.
  5. pjdevries

    pjdevries Member

    Thanks for the additional clarification Till.

    You are right. I took a closer look at the suPHP documentation of the latest Debian suPHP package and it says:
    However, it also says:
    So apparantly that doesn't seem to be a valid reason not to use the Debian package.

    When I created my package, I used Hans' howto (see How To Set Up suPHP On A Debian Etch Based ISPConfig Server) as a guide line and not the one Falko mentions and it worked just fine. In that howto, some minor modifications are made to mod_suphp.c. I don't see those modifications in Falko's howto though, so apparently they are not very important and maybe not even necessary.

    Bottom line: it's still a mystery to me why we can't use the regular Debian suPHP package. I think it's worthwhile though, to make ISPConfig work with the Debian package instead of having to manually update suPHP with each new release. And if I'm not mistaking, we can expect 0.6.3 soon :)
  6. Hans

    Hans Moderator ISPConfig Developer

    Last edited: May 19, 2008
  7. pjdevries

    pjdevries Member

    Thanks for your contribution as well Hans.

    So if I'm not mistaking, the only thing that's different about the Debian suPHP package, is the /etc/suphp.conf file. Or am I still missing something?
  8. falko

    falko Super Moderator ISPConfig Developer

    when we used the Debian package in our tests, Apache was complaining about unknown directives so it seems the Debian package was not built with --with-setid-mode=paranoid.
  9. pjdevries

    pjdevries Member

    Thanks for the follow up.

    Interesting that the Debian package doesn't 'respect' the default settings. But at least it explains everything.

Share This Page