Running PHP scripts as specific users with suphp
Posted by Steve on Tue 25 Jan 2005 at 11:33
If you run a webserver for lots of different users it can be useful to allow all the PHP scripts to run under the identity of the user who owns them - rather than having all PHP scripts upon the system run as the same user (Typically www-data on Debian systems). suphp allows you to do this easily.
The module wasn't packaged as part of the Debian Woody release so we'll only mention using Sid / Testing here.
If you wish to install the module on a Woody system you will have to investigate a backported version, or build it from source yourself (which isn't as hard as it sounds!).
If you're running Debian testing (sarge), or sid you can install the module as follows:
apt-get install libapache-mod-suphp
This will install the cli version of PHP, that that is the version which can be executed from the command line. This is invoked by the Apache module when incoming requests are made to PHP scripts.
Now that we've installed the module we need to set it up, there are two things to do:
- Remove the mention of mod-php.
- Configure suphp.
Removing the module version of php can be done by commenting out these lines in your Apache configuration files /etc/apache/httpd.conf, and /etc/apache/modules.conf:
LoadModule php4_module /usr/lib/apache/1.3/libphp4.so AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
Once those lines are commented out, or removed, you can remove the libapache-mod-php packge:
dpkg --purge libapache-mod-php4
You might have installed a virtual package php4, if so you will recieved errors and should remove that package too:
dpkg --purge libapache-mod-php4 php4
Now we need to configure the suphp module. First of all we need to make sure it is loaded, by including the following line in /etc/apache/modules.conf:
Loadmodule suphp_module /usr/lib/apache/1.3/mod_suphp.so
Then in the main configuration file we need to add the following three directives, after the loading of the modules:
suPHP_Engine on suPHP_ConfigPath /etc/php4/apache AddHandler x-httpd-php .php
This should be sufficient to allow the module to work. Restart apache and see if you recieve any errors if not your setup is complete.
Now because your PHP scripts will be running under different user IDs than before you might need to make some changes to them - for example if you had a script which used to write to its own data files them might be owned by www-data, or nobody. These should now be changed to the user id the script is owned by, and is running as.
Notes the way the module works is to look at the owner of the script, and then become that user to execute it, but it will refuse to execute scripts owned by root. You should instead add a user to own those files.
To test the module we can write a simple file:
cat >> /var/www/t.php << EOF <? system( "id" ); ?> EOF chown steve:steve /var/www/t.php
Executing that by calling it from a client will show you something similar to this output:
uid=1000(steve) gid=1000(steve) groups=1000(steve)