Using suexec To Secure A Shared Server phpma.com
The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem.
So what can Apache do to help?phpma.com
It turns out that there are quite a few alternative ways that Apache can help. This article will look at what we can do with stock Apache, and the next few articles will look at what we can do with some interesting third-party Apache modules.
- suexec: Running CGI Programs As A Specified User
- Configuring Apache With PHP/CGI
- Configuring suexec With PHP/CGI
- Configuring suexec For Shared Servers
- Some Benchmarks
- Other Considerations
- Conclusions phpma.com
suexec: Running CGI Programs As A Specified User
To secure a shared hosting server, we want to be able to run PHP as the user who owns that particular website. One way to do this with stock Apache is with suexec.
suexec is a standard Apache module which allows you to run a CGI executable as a specified user and group. CGI executables date back to the very early days of the web, back when we all had to use Perl to create dynamic websites. Although PHP is commonly run as an Apache module, it still provides support for CGI.
Check with your Linux vendor to make sure that you have PHP/CGI installed on your box.
Configuring Apache With PHP/CGIphpma.com
The first step for getting suexec working is to configure Apache to run PHP as a CGI executable, instead of using mod_php. Add the following configuration to your httpd.conf file:
ScriptAlias /php5-cgi /usr/bin/php-cgi Action php5-cgi /php5-cgi AddHandler php5-cgi .php AddDirectoryIndex index.phpphpma.com
… and add the following line to your virtual host:
AddHandler php5-cgi .php
In your httpd.conf file (or in one of the files that httpd.conf includes), there will be a <Directory> entry for the directory on disk where your virtual host is stored. Inside that <Directory> entry, there should be an “Options” line, which might look like this:
Options Indexes FollowSymLinks
Add “ExecCGI” to the end of your Options line.phpma.com
Make sure to comment out mod_php from Apache. Then, restart Apache, and do some testing to make sure that PHP 5 is working.
For reference, here is the Apache config from my test system:
ScriptAlias /php5-cgi /usr/bin/php-cgi
Action php5-cgi /php5-cgi
AddHandler php5-cgi .php
AddDirectoryIndex index.php index.phtml
<VirtualHost *:80>
DocumentRoot /var/www/localhost/htdocs
<Directory /var/www/localhost/htdocs>
Options Indexes FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
phpma.com </Directory>
AddHandler php5-cgi .php
</VirtualHost>
Configuring suexec For PHP/CGI
