Troubleshoot suPHP Permission Issues

Posted on November 11th, 2016

suPHP requires folders and files to have a specific set of ownership and permissions for the proper functioning and handling of PHP scripts. While working with suPHP you will see a lot of errors like, “500 Internal Server Error”, “403 Forbidden error”, broken images, no JavaScript behaviors appear to work, and simple errors that will highlight the word “permission” in them. Tracking and fixing these errors are time consuming process and patience is required. These errors are common when switching from current PHP handler to suPHP handler. suPHP handler is a CGI based handler that usually runs PHP requests using suEXEC apache feature. suPHP is generally used by hosting companies as it offers additional security for the entire server. The server normally has a large number of domains and user accounts in it. Enabling suPHP will handle PHP requests using corresponding user account’s privileges. Sometimes poor configuration in suphp.conf leads to permission issues.

 

Sample SuPHP Configuration

1) Path to logfile

logfile=/var/log/suphp.log

2) User Apache is running as

webserver_user=wwwrun

3) Path all scripts have to be in

docroot=/var/www:${HOME}/public_html

4) Path to chroot() to before executing script

chroot=/mychroot

5) Security options

allow_file_group_writeable=false

allow_file_others_writeable=false

allow_directory_group_writeable=false

allow_directory_others_writeable=false

6) Check wheter script is within DOCUMENT_ROOT

check_vhost_docroot=true

7) Send minor error messages to browser

errors_to_browser=false

8) PATH environment variable

env_path=”/bin:/usr/bin”

7) Umask to set, specify in octal notation

umask=0077

8) Minimum UID

min_uid=100

9) Minimum GID

min_gid=100

10) Handler for php-scripts

x-httpd-php=”php:/usr/bin/php”

11) Handler for CGI-scripts

x-suphp-cgi=”execute:!self”

 

Troubleshooting

suPHP will prevent any PHP files with world-writable permissions from being run. Most files and folders can have permissions set up to 644 and 755 respectively. All the files and folders must be owned by the particular user. We can set the permission of folder and files using following commands.

1) Change permissions for all folders to 755

find /home/*/public_html -type d -exec chmod 755 {} \;

2) Change permissions for all files to 644

find /home/*/public_html -type f -exec chmod 644 {} \;

3) Change permission for only php scripts to 600

find /home/*/public_html -type f -name *.php -exec chmod 600 {} \;

4) Remove any php_value and php_flag entries in .htaccess files

find /home -type f -name ‘.htaccess’ -exec grep -Hrn ‘php_value’ ‘{}’ \;

find /home -type f -name ‘.htaccess’ -exec grep -Hrn ‘php_flag’ ‘{}’ \;

 

Fixperms

Using this script the ownership of files and folders can be set to user:user which satisfy suPHP security conditions. This script is only compatible with cPanel servers and it is highly recommended to take complete backup of the server before running this script. The script runs in a quiet mode with minimal info by default. If you need to observe and know what is happening when the script is run, just turn on the verbosity and the script will display everything. To turn on the verbosity -v option can be used. To use fixperms login as root user and wget the file from the following link.

wget https://raw.githubusercontent.com/PeachFlame/cPanel-fixperms/master/fixperms.sh

Fixperms script can be run for a specific account or for all accounts, with or without verbosity.

 

Fixperms for single user

sh ./fixperms.sh -a user_name

sh ./fixperms.sh -v -a user_name

Fixperms for all users

sh ./fixperms.sh -all

sh ./fixperms.sh -v -all

 

Overview

Once suPHP is enabled, the following requirements should be checked and matched.

1) All files including php scripts have permissions of 644 and below

2) All folders have permissions of 755 and below

3) All php_flag and php_value entries in .htaccess file must be removed

4) The owner:group of all files and folders must be particular user

5) Complete server backup must be made before running fixperms script.

 

If you need any further assistance please contact our support department.

 

 

Leave a Reply