GNUSYS | GNU/Linux sysadmin notes GNU/LINUX System Administration notes

A slight change in the setup and now i can see the user who is executing the scripts in my website

Before when apache intrepets a php script it calls fastcgi which inturn calls the php cgi binary.But still the php binary is executed as the calling user which in our case is the user apache program runs as

In SuPHP a setuid suphp module comes in between and the calls to the php cgi binary happens after the suphp wrapper changes the user and group to whatever we specify

Here is my configuration

neutron:/var/www# cat /etc/apache2/mods-enabled/suphp.load
LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so

neutron:/var/www# cat /etc/apache2/mods-enabled/suphp.conf
<IfModule mod_suphp.c>
AddHandler x-httpd-php .php .php3 .php4 .php5 .phtml
suPHP_AddHandler x-httpd-php
suPHP_Engine on
# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php4/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>

neutron:/var/www# cat /etc/apache2/sites-enabled/gnusys.net
<VirtualHost *>
ServerName gnusys.net
ServerAlias www.gnusys.net
DocumentRoot /var/www/gnusys
suPHP_Engine on
suPHP_UserGroup anoop anoop
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php

<Directory “/var/www/gnusys”>

AllowOverride FileInfo Limit Options Indexes

</Directory>

</VirtualHost>

neutron:/var/www#

I was getting the error of configuration directive not recognized when i used

suPHP_UserGroup in the apache config.

Later realized that this configuration directive is only supported when suPHP is compiled with setid-mode “force” or “paranoid” *

Now php script runs with whatever is the owner of the script

====

ID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7275 anoop 16 0 25716 13m 4924 R 6.3 21.2 0:00.19 /usr/bin/php-cgi
6508 root 15 0 7932 1956 1220 R 0.3 3.0 0:00.08 sshd: root@pts/0
6892 www-data 15 0 10356 1548 1120 S 0.3 2.4 0:00.03 /usr/sbin/apache2 -k start
1 root 15 0 1948 488 464 S 0.0 0.7 0:00.00 init [3]
2 root RT 0 0 0 0 S 0.0 0.0 0:00.00 [migration/0]

====

You can see that the access to gnusys.net is shown as process by user anoop

Posted under Apache, Security, hosting, php