Prerequisites:

• PHP/LAMP Server installed by Plesk/Apache
• PHP FastCGI Component
• apr-1-util Component
• httpd-devel Component
• Development Tools (gcc/flex/bison)
• suPHP 0.63
• Plesk8.4

Procedure:

1. After all prerequisites are installed, download the suPHP 0.6.3 source to the directory of your choosing. For the purposes of this document, we’re using /usr/local/src
2. Untar the suPHP application, it should install into a directory named suphp-0.6.3
3. Run configure with the following options (or, change for your preferred environment:)

./configure –with-apxs=/usr/sbin/apxs –with-php=/usr/bin/php-cgi –with-logfile=/var/log/suphp.log –with-min-uid=30 –with-min-gid=30 –with-apache-user=apache –with-apr=/usr/bin/apr-1-config –with-setid-mode=owner –prefix=/usr –sysconfdir=/etc

4. After configure succeeds, run the usual make:

make

5. All should go well with your make. If so, then run make install:

make install

6. We’re not done yet. We’ve created mod_suphp.so, which is now located in /usr/lib/httpd/modules, but need to create a new file in /etc/httpd/conf.d/ called “suphp.conf”.  It should look like this:

LoadModule suphp_module modules/mod_suphp.so

<Directory /var/www/vhosts>
php_admin_value engine off
suPHP_Engine On
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
</Directory>

7. Now that we’ve added this file, we need to restart apache:

service httpd restart

8. We’re nearly finished. Now we need to create our configuration for suPHP. Create a file in /etc named “suphp.conf”. Add in the following lines to configure it:

[global]
logfile=/var/log/suphp.log
loglevel=info
webserver_user=apache
docroot=/var/www/vhosts
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
check_vhost_docroot=false
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0022
min_uid=30
min_gid=30

[handlers]
x-httpd-php=php:/usr/bin/php-cgi
x-suphp-cgi=execute:!self

9. You need to edit /etc/httpd/conf/httpd.conf and either remove the following two lines, or comment them out:
   AddType application/x-httpd-php .php
   AddType application/x-httpd-php-source .phps
10. Restart apache one more time.

service httpd restart

Voila! If you add a file into a directory, say named info.php that had permissions above 0644 – the execution should fail. Directories are required to be 755, files can be no more than 644. This is especially useful for things like Joomla that have their own installers that use incorrect permissions due to PHP running as the user that runs apache. There is only one file that CentOS uses for PHP configuration, which is /etc/php.ini

A great way to test this is by trying software like Joomla – files will execute as you’d expect them to, as the user in question. There may be some issues due to things like not supporting PHP-FastCGI support, but most files won’t notice the difference. Also, make sure you rotate that suphp.log file, as it will grow in info mode, as it logs each file execution.

Prerequisites:

• PHP/LAMP Server installed by Plesk/Apache
• PHP FastCGI Component
• apr-1-util Component
• apache2-devel Component
• Development Tools (gcc/flex/bison)
• suPHP 0.62
• Plesk8.3

Procedure:

1. After all prerequisites are installed, download the suPHP 0.62 source to the directory of your choosing. For the purposes of this document, we’re using /usr/local/src
2. Untar the suPHP application, it should install into a directory named suphp-0.6.2
3. Copy or link all files from /usr/include/apr-1 into /usr/include/apache2
4. Copy /srv/www/cgi-bin/php5 to /usr/bin/php5-cgi
5. Run configure with the following options (or, change for your preferred environment:)

./configure –with-apxs=/usr/sbin –with-php=/usr/bin/php5-cgi –with-logfile=/var/log/suphp.log –with-min-uid=30 –with-min-gid=30 –with-apache-user=wwwrun –with-apr=/usr/bin/apr-1-config –with-setid-mode=owner –prefix=/usr –sysconfdir=/etc

6. After configure succeeds, run the usual make:

make

7. All should go well with your make. If so, then run make install:

make install

8. We’re not done yet. We’ve created mos_suphp.so, which is now located in /usr/lib/apache2, but need to modify /etc/sysconfig/apache2 so that our suphp module is included. You can do so by changing the following line:

APACHE_MODULES=”rewrite actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 perl”

To:

APACHE_MODULES=”rewrite actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 perl suphp”

Notice, all I’ve done is added in “suphp” to the end of the string.

9. Now that we’ve done this, we need to restart apache:

rcapache2 restart

10. Once this is done, check /etc/apache2/sysconfig.d/loadmodule.conf to make sure the following line is added:

LoadModule suphp_module /usr/lib/apache2/mod_suphp.so

11. We’re nearly finished. Now we need to create our configuration for suPHP. Create a file in /etc named “suphp.conf”. Add in the following lines to configure it:

[global]
logfile=/var/log/suphp.log
loglevel=info
webserver_user=wwwrun
docroot=/srv/www/vhosts
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
check_vhost_docroot=false
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0022
min_uid=30
min_gid=30

[handlers]
x-httpd-php=php:/usr/bin/php5-cgi
x-suphp-cgi=execute:!self

12. Save this file, our final configuration is within the /etc/apache2/httpd.conf file at the end of that file:

<Directory /srv/www/vhosts>
php_admin_value engine off
suPHP_Engine On
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
</Directory>

Which will also add the following two lines, make sure to comment them out:

#AddType application/x-httpd-php .php
#AddType application/x-httpd-php-source .phps

13. Restart apache one more time:

rcapache2 restart

Voila! If you add a file into a directory, say named info.php that had permissions above 0644 – the execution should fail. Directories are required to be 755, files can be no more than 644. This is especially useful for things like Joomla that have their own installers that use incorrect permissions due to PHP running as the user that runs apache. Remember, there are two PHP configurations now, /etc/php5/apache2/php.ini (this is our general config for things like plesk/webmail), and /etc/php5/fastcgi/php.ini (this is our config for websites that run under suPHP).

A great way to test this is by trying software like Joomla – files will execute as you’d expect them to, as the user in question. There may be some issues due to things like not supporting PHP-FastCGI support, but most files won’t notice the difference. Also, make sure you rotate that suphp.log file, as it will grow in info mode, as it logs each file execution.