What is SuPHP?

Posted onCategoriesLAMP

It runs all PHP scripts as the user in whose account they reside – rather than running all scripts as user “nobody”. It also prevents scripts that have insecure permissions from running.

What problem with regular PHP, and how SuPHP benefits over?

  1. SuPHP does not allow files/folders to run where they have group and world write permissions; only the account owner can write to files/folders. This forces all users to ensure that their files/folders have correct permissions and prevents hackers uploading malicious content into vulnerable folders.
  2. SuPHP allows all PHP scripts to be run under the user account ownership, instead of running under the “nobody” user. This is particularly helpful in tracking down scripts which send out SPAM as the “nobody” user.

Regular PHP installation on a web server runs as the user nobody and it doesn’t require the execute flag to be enabled. The problem with regular PHP installation is that if mod_openbasedir is not installed, every user on the server will be able to read your php files because practically everyone shares the same username (nobody).
PHP Files are not meant to be read, but parsed, otherwise everyone who is able to read your php file will able to view settings that you would want to keep private, such as your MySQL username and password.

SuPHP fixes this issue because it requires PHP scripts to be executed with the permissions of their owners. SuPHP also fixes common file ownership issues that mostly occur with few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

Is SuPHP will have any affect on my website?

Most PHP scripts will run well within a SuPHP environment.
However, some older not well-maintained scripts that rely on insecure permissions (like 777) may experience issues in a SuPHP environment.

 – .htacccess

SuPHP is not reading .htaccess, it does not support the php_value/php_admin_value directive known by mod_php to parse configuration options to scripts for certain virtual hosts or directories. All the php_flags in your .htaccess will have to be moved to php.ini, which you will have to create in your public_html directory.

For example, you might have a value as “php_flag register_globals on” in your .htacess file, you will need to move it as “register_globals=on” into your php.ini file.
You will have to move every command on .htaccess that starts with php_flag. into  php.ini file.

– File permission of 777

Directories that require writable permissions will no longer require 777 as permissions and SuPHP will refuse to write or read on directories exposed with such permissions, make sure you chmod them to 755.

The highest level of permissions that a user can use on a SuPHP enabled server is 755. This permission setting is sufficient enough for any directories/files that need to be written to.

My Website shown: Troubleshooting Internal Server Errors (Error 500):

You may move the command in .htacess to php.ini file under your public_html folder, you may create it if its not exist. Check your folder permission, the highest level of permissions that a user can use on a SuPHP enabled server is 755.