Next: PHP4 Configuration Up: Security Previous: Configuring mod-SSL Contents
It consists of two parts, one is a module for apache who "captures" requests of php pages, verifies the user of the file, its group, and sends the information to the other part, that is suid-root executable that sends the information to php4-cgi with the owner of the file as user, then gives back the result to the module of the apache.
The idea is lower the damage that would cause a possible failure of the system being exploited, in this way the user enter the system with an nonqualified account, without permissions of execution and possibility to access to another code or programs.
Suphp can be downloaded of http://www.suphp.org/Home.html, decompressing the package in/usr/src and compiled with the following options:
| #>./configure -prefix=/usr \ |
-with-apxs=/usr/bin/apxs2 \ |
-with-apache-user=www-data \ |
-with-php=/usr/lib/cgi-bin/php4 \ |
-sbindir=/usr/lib/suphp \ |
-with-logfile=/var/log/suphp/suphp.log \ |
-with-setid-mode \ |
-disable-checkpath |
Of course we will need to have compiled php for cgi, this means to return to compile php, but clearing the configuration for apache2 and adding:
-prefix=/usr -enable-force-cgi-redirect -enable-fastcgi \ |
-with-config-file-path=/etc/php4/cgi |
To configure in apache we will do the same as for SSL, first we verified if is enabled:
| #> if [ -h /etc/apache2/mods-enabled/suphp.load ]; then echo "enabled module";else echo "disabled module"; fi |
to activate it we will do it following:
| #>ln -s /etc/apache2/mods-available/suphp.conf /etc/apache2/mods-enabled/suphp.conf |
| #>ln -s /etc/apache2/mods-available/suphp.load /etc/apache2/mods-enabled/suphp.load |
This will enable the module in apache2 and will be able to be used after restarting the server with:
| #>/etc/init.d/apache2 restart |
The configuration of the secure site with suphp including would be like this:
| NameVirtual *:443 |
| <VirtualHost *:443> |
ServerName gosa.chaosdimension.org |
DocumentRoot /usr/share/gosa/html |
alias /gosa /usr/share/gosa/html |
CustomLog /var/log/apache/gosa.log combined |
ErrorLog /var/log/apache/gosa.log |
suPHP_Engine on |
SSLEngine On |
SSLCertificateFile /etc/apache2/ssl/gosa.cert |
SSLCertificateKeyFile /etc/apache2/ssl/gosa.key |
SSLCertificateChainFile /etc/apache2/ssl/gosa.cert |
SSLCertificateKeyFile /etc/apache2/ssl/gosa.key |
SSLCACertificateFile /etc/apache2/ssl/gosa.ca |
SSLCACertificatePath /etc/apache2/ssl/ |
SSLLogLevel error |
SSLLog /var/log/apache2/ssl-gosa.log |
<Directory /usr/share/gosa > |
SSLVerifyClient require |
SSLVerifyDepth 1 |
</Directory> |
| </VirtualHost> |
We must decide that user we are going to use, in this case I am going to create one called "gosa", that will be is used for suphp:
#>useradd -d /usr/share/gosa/html gosa |
#>passwd -l gosa |
#>cd /usr/share/gosa |
#>find /usr/share/gosa -name "*.php" -exec chown gosa ";" |
#>find /usr/share/gosa -name "*.php" -exec chmod 600 ";" |