The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Proper fcgid custom php.ini per user (Easyapache integrated)

Discussion in 'Security' started by NiN, Apr 15, 2011.

  1. NiN

    NiN Active Member

    Joined:
    Apr 30, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Braga, Portugal
    While I've found a number of suggestions on configuring a custom php.ini per user, none of which satisfied me.

    Most approaches are a bit outdated; as well as not "upgrade friendly" cpanel now has a wrapper at /usr/local/cpanel/cgi-sys/php5 whici is used for the fcgid requests to php, and if there are no customization needed, why not use the default php.ini?

    Now my question is, what would be the best approach to setting up a custom php.ini per user, assuming the following:
    • Compatible with easyapache; don't fight the current (possible using the apache userdata includes?)
    • Upgrade friendly (running easyapache shouldn't break the setup - use the includes, etc)
    • New accounts use the "default" secured php.ini (Copy in postwwwacct?)
    • Isolated from the user dir (rather not place a wrapper it in every ~/public_html/cgi-bin/)

    I'll keep researching the options available, but any feedback is appreciated
     
  2. tylerl

    tylerl Active Member

    Joined:
    Dec 11, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Here's my simple solution. Just update /usr/local/cpanel/cgi-sys/php5 to look like this:

    Code:
    #!/bin/bash
    [[ -f ~/php.ini ]] && exec /usr/bin/php -c ~/php.ini
    exec /usr/bin/php
    
    Remember to copy the file to /var/cpanel/conf/apache/wrappers/php5 to make your changes persistent.

    Essentially, this uses the "global" php.ini file for everyone who doesn't have a custom one set, but switches to the custom one if it exists.

    Remember to restart apache (or just kill the appropriate php process) to load new changes.
     
  3. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Nice example. but this way user's might put custom php.ini files into their homefolder and get whatever configuration they want. Here is how we do it - not sure if this might overlap some other "howto". I think it very obvious how to use this howto to run any version of PHP (you have to compile it yourself, of course).

    1. First create custom php.ini.

    Code:
    mkdir -p /usr/local/apache/conf/custom_php/DOMAINNAME/
    cp /usr/local/lib/php.ini /usr/local/apache/conf/custom_php/DOMAINNAME/
    Modify copied php.ini.

    2. Create custom PHP wrapper.

    Code:
    cd /usr/local/cpanel/cgi-sys/
    cp php5 php5_DOMAINNAME
    chown root.wheel php5_DOMAINNAME
    3. Edit custom PHP wrapper to use custom php.ini

    Inside php5_DOMAINNAME change "exec" line to the following:

    Code:
    exec /usr/bin/php -c /usr/local/apache/conf/custom_php/DOMAINNAME/php.ini

    4. Set to use custom wrapper by webserver

    Code:
    mkdir -p /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAINNAME
    cd /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAINNAME
    vi custom.conf
    And add the following line:

    Code:
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5_DOMAINNAME .php

    5. Configure httpd.conf - remember to check, that custom configuration file, that you created in step 4 is being included into apache config file. In /usr/local/apache/conf/httpd.conf inside website VirtualHost there should be line like this:

    Code:
    Include "/usr/local/apache/conf/userdata/std/2/USERNAME/DOMAINNAME/*.conf"

    6. Restart webserver and check that website is using correct php.ini. Errors may be in /usr/local/apache/logs/error_log and in /usr/local/apache/logs/suexec_log


    7. Important notes

    If you are running FastCGI and right now - you are planning to turn off safe_mode, please remember, that we have it because of one reason: we are unable to change open_basedir and restrict customer to a single folder. As with this setup, explained above, we have created separate php.ini file for a single website, we actually can change and set open_basedir. Conclusion: if you are disabling safe_mode, you must set open_basedir in custom php.ini! Search for open_basedir and change to:

    Code:
    open_basedir = "/home/USERNAME:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
     
  4. NiN

    NiN Active Member

    Joined:
    Apr 30, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Braga, Portugal
    Hello guys,

    Thanks for your replies, but this thread was posted in April of this year. And I actually never remembered this since.

    I solved this issue at that time, actually like what anton_latvia suggested, except I placed every custom php wrapper/.ini next to the .conf in /usr/local/apache/conf/userdata/std/2/<user>/

    Which is great if I want to move a client along with his .ini settings.

    In any case, thanks a lot for your replies, even if it's just for future reference.
     
  5. AnthonyG70

    AnthonyG70 Member

    Joined:
    Apr 21, 2012
    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I am attempting to utilize this response, but am unable to locate php5 under /usr/local/cpanel/cgi-sys. Could this post be looked over and corrected if necessary? This seems to be the most precise custom php.ini per user/site in the forums, and most recent.

    Thanks!
     
  6. NiN

    NiN Active Member

    Joined:
    Apr 30, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Braga, Portugal
    Hi Anthony,

    That's the fcgid wrapper, I believe it's created when you set up easyapache with fcgid support.

    In any case you can also create that manually, just paste this inside:
    https://gist.github.com/2493142

    Remember to set it's permissions like the other files there chown root.wheel & chmod 755 I believe!
     
  7. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    ls -la /usr/local/cpanel/cgi-sys/php5
    -rwxr-xr-x 1 root wheel 244 Apr 26 11:31 /usr/local/cpanel/cgi-sys/php5*


    Yes, without fastcgi support there is no such file. Here is its contents:

    #!/bin/sh

    # If you customize the contents of this wrapper script, place
    # a copy at /var/cpanel/conf/apache/wrappers/php5
    # so that it will be reinstalled when Apache is updated or the
    # PHP handler configuration is changed

    exec /usr/bin/php
     
  8. AnthonyG70

    AnthonyG70 Member

    Joined:
    Apr 21, 2012
    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    That's what is throwing me for a loop, I did the build and included fcgid, it even stated it included it by default (probably due to another tool). I am running suhosin and suexec, would these cause me to not have php5 in directory? I checked modules, here is output.

    Code:
    /usr/sbin/httpd -l
    Compiled in modules:
      core.c
      mod_authn_file.c
      mod_authn_default.c
      mod_authz_host.c
      mod_authz_groupfile.c
      mod_authz_user.c
      mod_authz_default.c
      mod_auth_basic.c
      mod_auth_digest.c
      mod_include.c
      mod_filter.c
      mod_deflate.c
      mod_log_config.c
      mod_logio.c
      mod_env.c
      mod_expires.c
      mod_headers.c
      mod_usertrack.c
      mod_unique_id.c
      mod_setenvif.c
      mod_version.c
      mod_proxy.c
      mod_proxy_connect.c
      mod_proxy_ftp.c
      mod_proxy_http.c
      mod_proxy_scgi.c
      mod_proxy_ajp.c
      mod_proxy_balancer.c
      mod_ssl.c
      prefork.c
      http_core.c
      mod_mime.c
      mod_dav.c
      mod_status.c
      mod_autoindex.c
      mod_asis.c
      mod_info.c
      mod_suexec.c
      mod_cgi.c
      mod_dav_fs.c
      mod_vhost_alias.c
      mod_negotiation.c
      mod_dir.c
      mod_imagemap.c
      mod_actions.c
      mod_speling.c
      mod_userdir.c
      mod_alias.c
      mod_rewrite.c
      mod_so.c
    Code:
    /usr/sbin/httpd -M
    Loaded Modules:
     core_module (static)
     authn_file_module (static)
     authn_default_module (static)
     authz_host_module (static)
     authz_groupfile_module (static)
     authz_user_module (static)
     authz_default_module (static)
     auth_basic_module (static)
     auth_digest_module (static)
     include_module (static)
     filter_module (static)
     deflate_module (static)
     log_config_module (static)
     logio_module (static)
     env_module (static)
     expires_module (static)
     headers_module (static)
     usertrack_module (static)
     unique_id_module (static)
     setenvif_module (static)
     version_module (static)
     proxy_module (static)
     proxy_connect_module (static)
     proxy_ftp_module (static)
     proxy_http_module (static)
     proxy_scgi_module (static)
     proxy_ajp_module (static)
     proxy_balancer_module (static)
     ssl_module (static)
     mpm_prefork_module (static)
     http_module (static)
     mime_module (static)
     dav_module (static)
     status_module (static)
     autoindex_module (static)
     asis_module (static)
     info_module (static)
     suexec_module (static)
     cgi_module (static)
     dav_fs_module (static)
     vhost_alias_module (static)
     negotiation_module (static)
     dir_module (static)
     imagemap_module (static)
     actions_module (static)
     speling_module (static)
     userdir_module (static)
     alias_module (static)
     rewrite_module (static)
     so_module (static)
     bwlimited_module (shared)
     bw_module (shared)
     qos_module (shared)
     suphp_module (shared)
     security2_module (shared)
    Syntax OK
    Just trying to get this sorted so I can enable FTP uploads via HTTP/PHP. I am not seeing fcgi in there anywhere, yet I selected it during build. Suggestions?
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you have mod_fcgid.so in /usr/local/apache/modules, then you have FCGI available. There is not a php5 directory on the machine as previously stated in this thread.

    The reason fcgid doesn't appear in the modules list is that, unless you've switched PHP over to FCGI, it isn't loaded. It only loads if you switch the PHP handler to FCGI. Here are examples on my machine:

    1. When I was using DSO

    Code:
    root@host [~]# httpd -l | grep -i fcgi
    root@host [~]# httpd -M | grep -i fcgi
    Syntax OK
    
    root@host [~]# /usr/local/cpanel/bin/rebuild_phpconf --current
    Available handlers: suphp dso fcgi cgi none
    DEFAULT PHP: 5
    PHP4 SAPI: none
    PHP5 SAPI: dso
    SUEXEC: enabled
    RUID2: not installed
    2. Switched to FCGI

    Code:
    root@host [~]# /usr/local/cpanel/bin/rebuild_phpconf 5 none fcgi 1
    php.conf updated to:
    
    # This file was automatically generated by the Cpanel PHP Configuration system
    # If you wish to change the way PHP is being handled by Apache on your system,
    # use the /usr/local/cpanel/bin/rebuild_phpconf script or the WHM interface.
    #
    # Manual edits of this file will be lost when Apache is updated.
    
    
    # Fastcgi configuration for PHP5
    LoadModule fcgid_module modules/mod_fcgid.so
    MaxRequestsPerProcess 500
    AddHandler fcgid-script .php5 .php4 .php .php3 .php2 .phtml
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php5
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php4
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php3
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php2
    FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .phtml
    
    # End of autogenerated PHP configuration.
    
    
    Updating user configurable PHP settings.
    [info] recursion depth is set to: 2
    Restarting Apache
    
    root@host [/usr/local/apache/modules]# httpd -M | grep -i fcgi
    Syntax OK
     fcgid_module (shared)
    Here it is in the modules folder:

    Code:
    root@host [/usr/local/apache/modules]# ls -lah
    total 15M
    drwxr-xr-x  2 root root 4.0K Apr 17 21:44 ./
    drwxr-xr-x 16 root root 4.0K Apr 17 23:49 ../
    -rw-r--r--  1 root root 9.0K Apr 17 21:37 httpd.exp
    -rwxr-xr-x  1 root root  15M Apr 17 21:44 libphp5.so*
    -rwxr-xr-x  1 root root 9.3K Apr 17 21:39 mod_bwlimited.so*
    -rwxr-xr-x  1 root root 5.7K Apr 17 21:39 mod_disable_suexec.so*
    -rwxr-xr-x  1 root root 122K Apr 17 21:39 mod_fcgid.so*
    -rwxr-xr-x  1 root root  29K Apr 17 21:39 mod_suphp.so*
    Makes a lot of sense it wouldn't load unless it were the PHP handler. Otherwise, it would conflict with the existing handler being used.

    Thanks!
     
Loading...

Share This Page