Converting from PHP DSO to PHP suPHP + Suhosin

[host4profit]

Hello,

Early last year, I purchased a hosting service that is running Cpanel/WHM with PHP+DSO. It's been a bit of a nightmare dealing with the security issues presented with running PHP as nobody.

I've been researching suPHP (mainly to get the scripts running as the username) and Suhosin (for that added level of security).

My question is, on established servers, running a fair number of clients, a number of PHP scripts, what issues could I expect to see by enabling suPHP and/or Suhosin?

I'd venture to guess that 95% of the scripts that are installed are from Fantastico. I am assuming that _most_ of the scripts in Fantastico will work with the suPHP + Suhosin.

I'm guessing I'd need to go through each user directory and update the "nobody.nobody" files to "username.username". Also probably search for directories set to 777 and change those to 755 (suPHP should run without needing 777, correct)?

Trying to get an idea of how big of a headache this upgrade may cause. I do believe it is a must upgrade due to all the insecure PHP scripts out there.

Thanks for any feedback!

David

 

[Infopro]

There are multiple threads on this topic at the bottom of this very page in the Similar Threads block you might find useful. And there are many more across these forums if you dig a little that should provide you a wealth of Info to get this done painlessly.


HTH!

 

[cPanelTristan]

I did want to link to one guide I posted last year as my non-staff account at the time:

Switching to suPHP

Since many of the discussions on the forum don't have a straightforward guide on the steps, I thought this might be helpful to give as a direct link.

Additionally, I suggest tailing the error log for Apache if any sites aren't working following the steps for conversion as well as picking a time when the server will not be overly active to allow sufficient time for the switch. To tail the log, you'd simply do:

tail -f /usr/local/apache/logs/error_log

To see any sites that might have issues after the switch has been completed.

 

[host4profit]

Hello,

Thanks much for the link cPanelTristan! Looks like the trick will be to find a "safe" way to chown the files. You don't happen to have any additional information about how to do this? Between the servers, we are looking at close to 8,000 users! So, manually would be very time consuming.

Is the idea to only chown actual files, skipping any links? Or that the link shouldn't be outside the users directory?

So, once the directory and file permissions are set, and the files chown'ed properly, clean up the .htaccess files (and add a custom php.ini as needed (oh boy, lots of worth there)), the scripts themselves should be fine?

Then, adding into the mix, Suhosin... Is that just another level of security that shouldn't cause major issues?

Will do suPHP first, make sure that is working, then come back through with Suhosin...

Thanks again!
David

 

[cPanelTristan]

Hello David,

I would not do a chown on any of the user's directories unless they show errors in the logs. If they do, then you can perform a chown to user:nobody for the top level of public_html and user:user for the file and folders inside public_html (where user is the cPanel username).

I wouldn't provide a command on how to perform either because security-wise you'd want to be very careful due to the reasons noted in the thread that I linked to earlier.

Thanks.