How to install SuPHP on CentOS 7.2

SuPHP is an apache module that allows PHP to under a different Linux user than the apache user. This improves the security of hosted websites as you can run the PHP scripts of each website under a different user. This tutorial describes the installation of SuPHP on centOS 7.2 from source as there are no SuPHP packages available for CentOS 7.2.


You shall have a server that has CentOS 7.2 or later installed, I will use this tutorial as basis for my setup. In the first chapter, I will install the Apache web server. If you have apache already installed, then start with chapter 2 right away.

My server will use the hostname and the IP address Replace these values with the hostname and IP of your server wherever they occur in the following tutorial.

I recommend to have a firewall installed for security reasons, if you do not have firewalld installed yet, then you can install it with these commands:

yum -y install firewalld

start the firewall and enable it to be started at boot time.

systemctl start firewalld.service
systemctl enable firewalld.service

Next, open your SSH port to ensure that you will be able to connect to the server by SSH.

firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --reload

1 Installation of Apache 2.4 and PHP 5

Apache and PHP are available in the CentOS base repository, so we can install both software packages with yum.

Install Apache and the Aapache development package which contains files that are required for the SuPHP compilation later.

yum -y install httpd httpd-devel

PHP installation (I've added some frequently used PHP modules):

yum -y install php php-mysql php-gd php-pear php-xml php-xmlrpc php-mbstring curl

We have to enable Apache to start at boot time and start the service.

systemctl start httpd.service
systemctl enable httpd.service

We have to open the HTTP (80) and HTTPS (443) ports to make the web server accessible from other computers. Run the following commands to configure the firewall.

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

2 Installation of SuPHP

We will compile SuPHP from source in this step. Install the development tools to setup the required build chain.

yum -y groupinstall 'Development Tools'

And wget to download the source files and the nano editor.

yum -y install wget nano

Download the SuPHP source tar.gz archive and unpack it.

cd /usr/local/src
tar zxvf suphp-0.7.2.tar.gz

CentOS 7 uses Apache 2.4, so we have to patch suphp before we can compile it aganst Apache. The patch gets applied like this:

wget -O suphp.patch
patch -Np1 -d suphp-0.7.2 < suphp.patch
cd suphp-0.7.2
autoreconf -if

[root@server1 suphp-0.7.2]# autoreconf -if
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `config'.
libtoolize: copying file `config/'
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated.  For more info, see: installing 'config/config.guess' installing 'config/config.sub' installing 'config/install-sh' installing 'config/missing'
src/ installing 'config/depcomp'
[root@server1 suphp-0.7.2]#

The autoreconf command applies the patch, now we can configure the new source as follows. NOTE: The configure command is one line!

./configure --prefix=/usr/ --sysconfdir=/etc/ --with-apr=/usr/bin/apr-1-config --with-apache-user=apache --with-setid-mode=owner --with-logfile=/var/log/httpd/suphp_log

Then compile and install SuPHP.

make install

Then add the suPHP module to the Apache configuration by adding a new suphp.conf file.

nano /etc/httpd/conf.d/suphp.conf

With the following content.

LoadModule suphp_module modules/

... and create the file /etc/suphp.conf as follows:

nano /etc/suphp.conf

;Path to logfile
;User Apache is running as
;Path all scripts have to be in
;Path to chroot() to before executing script
; Security options
;Check wheter script is within DOCUMENT_ROOT
;Send minor error messages to browser
;PATH environment variable
;Umask to set, specify in octal notation
; Minimum UID
; Minimum GID

;Handler for php-scripts
;Handler for CGI-scripts

Finally, we restart Apache:

systemctl restart httpd.service

3 Configure an Apache Vhost with SuPHP

In this chapter, I will show how you can add a virtual host in apache that runs PHP under a separate user. I will use the domain name for the website and PHP shall run as user and group "web1", the document root for the website is /var/www/

First, add a new user and group "web1".

useradd web1

Add the website root directory.

mkdir /var/www/
chown web1:web1 /var/www/

Now add the virtual host configuration file in the apache conf.d directory.

nano /etc/httpd/conf.d/

with this content:

<VirtualHost *>
DocumentRoot /var/www/

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None

<IfModule mod_suphp.c>
suPHP_Engine on
<FilesMatch "\.php[345]?$">
SetHandler x-httpd-suphp
suPHP_AddHandler x-httpd-suphp

Replace the domain name with your own domain in the ServerName and ServerAdmin lines.

Then restart apache to apply the config changes.

systemctl restart httpd.service

4 Test the SuPHP setup

In this chapter, I will show you several methods to test PHP in this website. First, I will create a file that uses the phpinfo() function to show if PHP is working and if it runs in CGI mode now.

Create an info.php file with nano:

nano /var/www/

and add the following lines to the new file:


Then change the owner of the file to the web1 user and group.

chown web1:web1 /var/www/

Open the URL of the file in a web browser, it shall show the following page.

PHP Info

Important is the ServerAPI line which shows CGI/FastCGI. which shows that PHP is run trough SuPHP and not mod_php.

Now I will test if PHP runs under the correct user (web1). How does SuPHP know which user it shall use? SuPHP switches PHP to the user that owns the PHP script, so it is important that all PHP files in our web root folder /var/www/ are owned by the web1 user and group.

So, how to test if PHP uses the right user? One way is to execute the "whoami" command which return the username.

I'll create a new script testuser.php in the website root:

nano /var/www/

with this content:


Then change the owner of the file to the web1 user and group.

chown web1:web1 /var/www/

Open in a web browser, the result shall the: web1

SuPHP runs as user web1 now.

SuPHP is configured and executes the PHP files as the user of this website. Remove the test files from the website directory and start adding your website scripts.

5 Download this CentOS 7.2 server as virtual machine

This setup is available as virtual machine download in ova/ovf format (compatible with VMWare and Virtualbox) for howtoforge subscribers.

Login details for the VM

  • The root password is: howtoforge
  • The password of the "administrator" user is: howtoforge

Please change both passwords on the first login.

  • The IP address of the VM is

  • CentOS
  • Apache Web Server
  • SuPHP
Share this page:

5 Comment(s)

Add comment


From: Rojackal

Quote from : 

When can I expect a new suPHP release? suPHP is not being actively maintained at the moment. This might change in the future. You should have a look at the mailing-list for discussions about new releases.

From: Thomas

The SuPHP software is stable, there are no issues with the current release and it has all features that are needed for this purpose.

From: Mahendran

After following the entire steps when i run the server i'm getting the php code directly. There is no error is added in suphp_log. But in error_log i got like below.


[Thu Jun 30 13:11:45.480228 2016] [mpm_prefork:notice] [pid 26530] AH00170: caught SIGWINCH, shutting down gracefully

[Thu Jun 30 13:11:46.554175 2016] [core:notice] [pid 26560] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0

[Thu Jun 30 13:11:46.555473 2016] [suexec:notice] [pid 26560] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[Thu Jun 30 13:11:46.579910 2016] [auth_digest:notice] [pid 26560] AH01757: generating secret for digest authentication ...

[Thu Jun 30 13:11:46.580623 2016] [lbmethod_heartbeat:notice] [pid 26560] AH02282: No slotmem from mod_heartmonitor

[Thu Jun 30 13:11:46.636736 2016] [mpm_prefork:notice] [pid 26560] AH00163: Apache/2.4.6 (CentOS) PHP/5.4.16 configured -- resuming normal operations

[Thu Jun 30 13:11:46.636774 2016] [core:notice] [pid 26560] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

I don't know what is the issue. Could you please help me on this.

From: Edson

The file


should be


to work

From: januzi


Everything is fine, except for fopen+fwrite. For some reason I get failed to open stream: Permission denied. Is there a way to fix this? I've tried turning selinux off, but that didn't help.