Securing PHP using SuPHP

I recently came across an alternative to using binfmt with CGI PHP. This document is a copy of an email I sent to the mailing list. SuPHP can be found at www.suphp.org.

I have managed now to get suPHP working, and wanted to share my findings with you all.

Before doing anything, we should make sure we have the correct PHP binary. The latest PHP comes with a CGI and a CLI binary, only the CGI will work. 

$ php -v

If you see something like this.. 

PHP 4.3.2 (cli) (built: Aug 24 2003 21:13:58)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies

...then it won’t work. You’re looking for something like this. 

PHP 4.3.2 (cgi), Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies

Read the PHP install documentation for more information.

NOTE: if using Gentoo, have a look at this forum post

After confirming the correct PHP CGI is available downloaded the source file from http://www.suphp.org. At the time of writing, the current version is 0.31. 

$ wget http://www.suphp.org/download/suphp-0.3.tar.gz
$ tar -xvzf suphp-0.3.tar.gz
$ cd suphp-0.3

Now we need to set the config options to compile with. The configure script gives a huge amount of options... take a look by typing: 

$ ./configure --help

I wanted suPHP to work for my apache user, so I set the uid and gid minmums down to 81 (this is generally not a good idea though!), and I also wanted it to log to my apache directory. You can locate your PHP binary using `which php`. This is the configure line that I used. 

$ ./configure --with-min-uid=81 --with-min-gid=81 --with-apache-user=apache --with-php=/usr/bin/php --with-logfile=/var/log/apache/suphp_log

A make, then a make install will now install suPHP. 

$ make
$ make install

It is now as simple as editing your apache configuration file. The suPHP install script will add some of the lines required to your config, but will not enable it by default. Here is what is needed (the first 2 are added for you by default) 

LoadModule suphp_module /usr/lib/apache/mod_suphp.so
AddModule mod_suphp.c
suPHP_Engine on
AddHandler x-httpd-php .php

Restart apache, and now give it a test.

If you are still having problems after following these instructions, please email the suphp mailing list.