Troubleshoot suPHP Permission Issues
Posted on November 11th, 2016
suPHP requires folders and files to have a specific set of ownership and permissions for the proper functioning and handling of PHP scripts. While working with suPHP you will see a lot of errors like, “500 Internal Server Error”, “403 Forbidden error”, broken images, no JavaScript behaviors appear to work, and simple errors that will highlight the word “permission” in them. Tracking and fixing these errors are time consuming process and patience is required. These errors are common when switching from current PHP handler to suPHP handler. suPHP handler is a CGI based handler that usually runs PHP requests using suEXEC apache feature. suPHP is generally used by hosting companies as it offers additional security for the entire server. The server normally has a large number of domains and user accounts in it. Enabling suPHP will handle PHP requests using corresponding user account’s privileges. Sometimes poor configuration in suphp.conf leads to permission issues.
Sample SuPHP Configuration
1) Path to logfile
logfile=/var/log/suphp.log
2) User Apache is running as
webserver_user=wwwrun
3) Path all scripts have to be in
docroot=/var/www:${HOME}/public_html
4) Path to chroot() to before executing script
chroot=/mychroot
5) Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
6) Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
7) Send minor error messages to browser
errors_to_browser=false
8) PATH environment variable
env_path=”/bin:/usr/bin”
7) Umask to set, specify in octal notation
umask=0077
8) Minimum UID
min_uid=100
9) Minimum GID
min_gid=100
10) Handler for php-scripts
x-httpd-php=”php:/usr/bin/php”
11) Handler for CGI-scripts
x-suphp-cgi=”execute:!self”
Troubleshooting
suPHP will prevent any PHP files with world-writable permissions from being run. Most files and folders can have permissions set up to 644 and 755 respectively. All the files and folders must be owned by the particular user. We can set the permission of folder and files using following commands.
1) Change permissions for all folders to 755
find /home/*/public_html -type d -exec chmod 755 {} \;
2) Change permissions for all files to 644
find /home/*/public_html -type f -exec chmod 644 {} \;
3) Change permission for only php scripts to 600
find /home/*/public_html -type f -name *.php -exec chmod 600 {} \;
4) Remove any php_value and php_flag entries in .htaccess files
find /home -type f -name ‘.htaccess’ -exec grep -Hrn ‘php_value’ ‘{}’ \;
find /home -type f -name ‘.htaccess’ -exec grep -Hrn ‘php_flag’ ‘{}’ \;
Fixperms
Using this script the ownership of files and folders can be set to user:user which satisfy suPHP security conditions. This script is only compatible with cPanel servers and it is highly recommended to take complete backup of the server before running this script. The script runs in a quiet mode with minimal info by default. If you need to observe and know what is happening when the script is run, just turn on the verbosity and the script will display everything. To turn on the verbosity -v option can be used. To use fixperms login as root user and wget the file from the following link.
wget https://raw.githubusercontent.com/PeachFlame/cPanel-fixperms/master/fixperms.sh
Fixperms script can be run for a specific account or for all accounts, with or without verbosity.
Fixperms for single user
sh ./fixperms.sh -a user_name
sh ./fixperms.sh -v -a user_name
Fixperms for all users
sh ./fixperms.sh -all
sh ./fixperms.sh -v -all
Overview
Once suPHP is enabled, the following requirements should be checked and matched.
1) All files including php scripts have permissions of 644 and below
2) All folders have permissions of 755 and below
3) All php_flag and php_value entries in .htaccess file must be removed
4) The owner:group of all files and folders must be particular user
5) Complete server backup must be made before running fixperms script.
If you need any further assistance please contact our support department.