Detailed instructions for installing SuPHP on CentOS 7.2

By default, PHP on CentOS 7 runs as apache or nobody. This method requires large permissions to run PHP, which may pose a security risk and may also be affected by other users of the server.

SuPHP is an apache module that allows PHP to be run under a different Linux user than the Apache user. This can increase the security of your hosted websites because you can run each website's PHP scripts under a different user. This tutorial covers SuPHP on CentOS 7.2 installed from source because there are no SuPHP packages available for CentOS 7.2.

Prerequisites

You will have a CentOS 7.2 or higher server installed. I will be using this tutorial as the basis for my setup. In this first chapter, I will install the Apache web server. If you already have Apache installed, start now with Chapter 2.

My server will use the hostname server1.example.com and the IP address 192.168.1.100. Replace these values ​​in the following tutorials with your server’s hostname and IP address.

For security reasons, it is recommended to install a firewall. If you have not installed a firewall yet, you can install it using the following command:

yum -y install firewalld

Start the firewall and enable it to start at boot time.

systemctl start firewalld.service
systemctl enable firewalld.service

Next, open your SSH port to ensure you are able to connect to your server via SSH.

firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --reload

1. Install Apache 2.4 and PHP 5

Apache and PHP are available in the CentOS base repositories, so we can install both packages using yum.

Install Apache and Aapache development packages, which contain files required for later SuPHP compilation.

yum -y install httpd httpd-devel

PHP installation (I added some common PHP modules):

yum -y install php php-mysql php-gd php-pear php-xml php-xmlrpc php-mbstring curl

We must enable Apache to start at boot time and start the service.

systemctl start httpd.service
systemctl enable httpd.service

We must open HTTP (80) and HTTPS (443) ports to make the web server accessible from other computers. Run the following command to configure the firewall:

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

2. Install SuPHP

In this step, we will compile SuPHP from source. Install the development tools to set up the required build chain.

yum -y groupinstall 'Development Tools'

And wget can download source files and nano editor.

yum -y install wget nano

Download the SuPHP source tar.gz archive and extract it.

cd /usr/local/src
wget http://suphp.org/download/suphp-0.7.2.tar.gz
tar zxvf suphp-0.7.2.tar.gz

CentOS 7 uses Apache 2.4, so we have to patch suphp and then we can compile it aganst Apache. The patch is applied as follows:

wget -O suphp.patch https://lists.marsching.com/pipermail/suphp/attachments/20130520/74f3ac02/attachment.patch
patch -Np1 -d suphp-0.7.2 < suphp.patch
cd suphp-0.7.2
autoreconf -if

[root@server1 suphp-0.7.2]# autoreconf -if
libtoolize: put auxiliary files in AC_CONFIG_AUX_DIR, `config'.
libtoolize: copying file `config/ltmain.sh'
libtoolize: consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac and
libtoolize: Rerun libtoolize to keep the correct libtool macros in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
configure.ac:9: warning: AM_INIT_AUTOMAKE: two-argument and three-argument forms are not supported. For more information, see:
configure.ac:9: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
configure.ac:24: installing 'config/config.guess'
configure.ac:24: installing 'config/config.sub'
configure.ac:9: installing 'config/install-sh'
configure.ac:9: installing 'config/missing'
src/Makefile.am: Install 'config/depcomp'
[root@server1 suphp-0.7.2]#

The autoreconf command applies the patch and now we can configure the new source as follows. NOTE: The configure command is one line!

./configure --prefix=/usr/ --sysconfdir=/etc/ --with-apr=/usr/bin/apr-1-config --with-apache-user=apache --with-setid-mode=owner --with-logfile=/var/log/httpd/suphp_log

Then compile and install SuPHP.

make
make install

Then add the suPHP module to your Apache configuration by adding a new suphp.conf file.

nano /etc/httpd/conf.d/suphp.conf

With the following content.

LoadModule suphp_module modules/mod_suphp.so

...and create the file /etc/suphp.conf as follows:

nano /etc/suphp.conf

[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check what script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

Finally, we restart Apache:

systemctl restart httpd.service

3. Configure Apache Vhost using SuPHP

In this chapter, I will explain how to add virtual hosts in apache running PHP under separate users. I will use the domain www.example.com for the website, PHP will run as the user and group "web1", and the document root of the website is /var/www/example.com

First, add a new user and group 'web1'.

useradd web1

Add the website root directory.

mkdir /var/www/example.com
chown web1:web1 /var/www/example.com

Now add the virtual host configuration file in the apache conf.d directory.

nano /etc/httpd/conf.d/example.com.conf

For this content:

<VirtualHost *>
 DocumentRoot /var/www/example.com
 ServerName example.com
 ServerAdmin [email protected]
 
 <FilesMatch ".+\.ph(p[345]?|t|tml)$">
 SetHandler None
 </FilesMatch>
 
 <IfModule mod_suphp.c>
 suPHP_Engine on
 <FilesMatch "\.php[345]?$">
 SetHandler x-httpd-suphp
 </FilesMatch>
 suPHP_AddHandler x-httpd-suphp
 </IfModule>
</VirtualHost>

Replace the domain name with your own domain in the ServerName and ServerAdmin lines.

Then restart apache to apply the configuration changes.

systemctl restart httpd.service

4. Test SuPHP settings

In this chapter, I will show you several ways to test PHP on this website. First, I will create a file that uses the phpinfo() function to show if PHP is working correctly and is currently running in CGI mode.

Create an info.php file using nano:

nano /var/www/example.com/info.php

And add the following lines to the new file:

<?php
phpinfo();

Then change the owner of the file to the web1 user and group.

chown web1:web1 /var/www/example.com/info.php

Open the URL of the file http://example.com/info.php in a web browser, it will display the following page.

The important one is the ServerAPI line which shows CGI/FastCGI. This indicates that PHP is running through SuPHP instead of mod_php.

Now I will test if PHP is running under the correct user (web1). How does SuPHP know which user to use? SuPHP switches PHP to the user that owns the PHP scripts, so it is very important that all PHP files in our web root folder /var/www/example.com are owned by the web1 user and group.

So, how do I test that PHP is using the correct user? One way is to execute the "whoami" command which returns the username.

I will create a new script testuser.php in the website root:

nano /var/www/example.com/testuser.php

with this content:

<?php
system('whoami');

Then change the owner of the file to the web1 user and group.

chown web1:web1 /var/www/example.com/testuser.php

Open http://example.com/testuser.php in a web browser. The result should be: web1

SuPHP is configured to execute PHP files as the user of this website. Remove the test files from the website directory and start adding your website scripts.

5. Download this CentOS 7.2 server as a virtual machine

This setting can be used to download virtual machines in ova/ovf format (compatible with VMWare and Virtualbox) knowing the identity of the user.

Login details for the VM

The root password is: howtoforge
The password for the "admin" user is: tecmint
Please change both passwords when you log in for the first time.

The IP address of the virtual machine is 192.168.1.100

6. Links

CentOS

Apache Web Server

SuPHP