fusioncroc

Well-Known Member
Sep 28, 2004
261
0
166
U.K.
Weird, whatever I try to do I end up with php files not working correctly. I get asked to save them instead. I did try suphp first, as that did not work though I tried normal php4 and normal php5... none seem to work at all. Any ideas?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
I finally got around to writing a guide for using suPHP on CPanel. I had to find my old notes for making it work, and I did go ahead and make a patch for the necessary modifications.

The guide is available at:

http://www.spareknet.org/howtos/suphp.php

Please note, this is completely outside of CPanel. It does not use the easyapache2 script and only applies for Apache 1.3. But maybe someone will find it useful.
 

intel352

Well-Known Member
Nov 25, 2003
55
0
156
NC, USA
dude, i've been struggling with weak how-tos for suphp for a week now, and i've had to often resort to how-tos for other control panels (eek).

thanks for posting this, it'll be a big help ;)


EDIT: btw, if you could consider adding support for the Suhosin patches from hardened-php.net, that would be awesome. Suhosin is binary compatible, so it no longer breaks things like the normal hardened-php patch would.
http://www.hardened-php.net/suhosin.127.html

:-D
 
Last edited:

intel352

Well-Known Member
Nov 25, 2003
55
0
156
NC, USA
another suggestion, enhance your "how-to" with full commands for each step, i.e.-

wget ...
tar xzvf ...
cd ...
etc etc

------

A note: you refer in your code to Application.diff, when it's actually Application.patch
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
Thanks, I tried to read through the guide to make sure there were not any errors, but its always good to have an extra set of eyes. I've made some adjustments to the guide and the filenames should be represented correctly now.

I left out some of the steps such as downloading the source and extracting it. I believe there has to be some level of understanding of how to get this far. You have to draw a line somewhere. I considered the downloading and extracting of the source and patches as trivial. I also just say to edit the file, use whatever editor you feel like using, since you are not bound to use any particular text editor for changing the files.
 

intel352

Well-Known Member
Nov 25, 2003
55
0
156
NC, USA
agreed, gotta have the understanding, but also for those of us (such as myself) that has the understanding, but is lazy, hehehehe, it's nice to have the commands setup for copy/paste :D


anywho, just to let you know, i've got my server running with suphp now. your guide helped immensely, since I hadn't found any other resources that suggested suphp needed to be patched. (i used another guide for compiling my php to run under fastcgi, so i was only missing your suphp piece)


also, i placed the suphp.conf in /etc, I assume that's correct because I'm not seeing any errors.

right now i'm trying to work up a small sh script that i can run to change permissions for user's files (to preempt any permission/security issues)
 

intel352

Well-Known Member
Nov 25, 2003
55
0
156
NC, USA
Okay, here's my script for changing file ownership, and folder/file permissions, for all hosted users.

This took some trial/error on my part, as i'm not familiar with SH syntax. just a note, if user's have improperly named files/folders, such as "Albert's Album", this script won't be able to work with that file/folder (just saw that happen when i ran the script, lol)

anyways, if someone wants to make this script better, that'd be fine by me:

Code:
#!/bin/sh

cd /home
for file in *
do
        if cd /home/$file/public_html; then
                echo $file;
                chown -R $file:$file * .*
                for i in $( find . -name "*.php" ); do chmod 644 $i; done
                for i in $( find . -type d ); do chmod 755 $i; done
        fi
done
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
intel352 said:
right now i'm trying to work up a small sh script that i can run to change permissions for user's files (to preempt any permission/security issues)
I see where you have one script that should work for this. I don't know if my script is any better, but I do have a script that does do such a thing at:

http://www.spareknet.org/scripts

Its a simple script, it does about the same thing that yours does, but it should accomodate files and directories that have spaces in them.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
intel352 said:
btw, if you could consider adding support for the Suhosin patches from hardened-php.net, that would be awesome. Suhosin is binary compatible, so it no longer breaks things like the normal hardened-php patch would.
http://www.hardened-php.net/suhosin.127.html:-D
I have used hardened-php in the past but it always broke the Zend Optimizer (I think), so I stopped using it. I'm not sure if this is still the case or if this is referring to something different. If its just a PHP patch, then you should be able to apply the patch to the PHP source before you compile it.
 

intel352

Well-Known Member
Nov 25, 2003
55
0
156
NC, USA
nice script, only one difference i can see, yours doesn't chmod individual files. if you would add in a line to chmod files that are 666 back to 644, you should then reference that script in your How-To, for admins that are upgrading existing servers :)
 

intel352

Well-Known Member
Nov 25, 2003
55
0
156
NC, USA
sparek-3 said:
I have used hardened-php in the past but it always broke the Zend Optimizer (I think), so I stopped using it. I'm not sure if this is still the case or if this is referring to something different. If its just a PHP patch, then you should be able to apply the patch to the PHP source before you compile it.
Suhosin comes in 2 parts that can be used separately or together. 1 part is a patch that is applied to remove some insecurities at a low level, the other part is essentially the hardened-php old-style patch, but now written as an extension

it doesn't conflict with Zend at all, works find on my server. suhosin is a new project, but i've had no issues so far. prevents remote includes and whatnot, nice to have a hardened php without the breakage :)


but yes, it's simple to install, just thought it would be nice to see your how-to go the distance for providing a secured php :)
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
sparek-3 said:
I finally got around to writing a guide for using suPHP on CPanel. I had to find my old notes for making it work, and I did go ahead and make a patch for the necessary modifications.

The guide is available at:

http://www.spareknet.org/howtos/suphp.php

Please note, this is completely outside of CPanel. It does not use the easyapache2 script and only applies for Apache 1.3. But maybe someone will find it useful.
I glanced over the howto.. it's nicely written, but you're making some compromises which could be disasterous.

first, running the cli version of php in a cgi environment is a bad idea.. I know they seem similar, but there are different versions for good reason...the cli version has less tight security requirements--while the paranoid cli security might seem overkill there's logic in it.

secondly, and the real issue (I'm personally indifferent as to whether or not you use cli/cgi versions to be honest), is the /usr/cgiphp/php-source.sh file.
by echoing the Content-Type, you're precluding CGI from delivering non text/html content without confusing the browser.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
That was the solution posted to the suphp mailing list regarding PHP source files. I agree and like the howto says its really a feature that I just put into the guide, its the newest feature of the howto and thus less tested and I'll say I'm less versed in its solution. That part of the guide can be safely left out. If you don't add a .phps handler then .phps file will still be shown, the code will be displayed in a browser, it just won't be in syntax highlighted, it will just be plain text.

I will put up a notice regarding that feature in the guide. I wasn't really sure how many people actually used PHP source files. I'm sure that if you are hosting a PHP developer then he will need or want this feature, but other than that, I'm not sure how widely used PHP source files really are.

If you feel that it is too much of a security risk, you can safely leave it out and suPHP will continue to function without it.
 

Mariusz Jokiel

Active Member
Nov 8, 2004
27
0
151
Could you tell me why I received:

Syntax error on line 932 of /usr/local/apache/conf/httpd.conf:
suPHP_AddHandler not allowed here

Best regards,
Mariusz Jokiel