Hi

I run Plesk 8.3 under RedHat RHEL 4 and I installed suPHP from
http://dag.wieers.com/rpm/packages/mod_suphp...

The file /etc/httpd/conf.d/suphp.conf just contains the line
"LoadModule....."
(phpinfo tell's me that the module mod_suphp is loaded)

After I added the following to the file vhosts.conf:

<Directory /var/www/vhosts/<domain>/httpdocs>
<IfModule sapi_apache2.c>
<IfModule mod_suphp.c>
RemoveHandler x-httpd-php
php_admin_flag engine Off
suPHP_AddHandler x-httpd-php .php
suPHP_Engine on
AddHandler x-httpd-php .php
suPHP_UserGroup <Username> psacln
</IfModule>
</IfModule>
</Directory>


Then I made the file "id.php" with the following input:

<?php
system('id');
?>

When I run http://domain/id.php apache tell's me:

uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv)

If mod_suphp would work correctly shouldn't I get back uid=(<Username>)
instead of uid=48(apache)????


Thnx for help

bt

Did you do

/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain.com>

and restarted httpd after installing?

Also another way to test if the vhost.conf is hitting the suphp place is to remove your if statements

<IfModule mod_suphp.c>

</IfModule>

and then see what happens when it executes.

@ ALL

I found it out :-)

In the attachment I wrote the solution.

Just a HowTo for installing suPHP under RHEL 4
to use it via plesk :-)


Grees to anybody how is using it.


bigtank

suPHP_ConfigPath "/var/www/vhosts/<domain>/tmp"
should be
suPHP_ConfigPath "/var/www/vhosts/<domain>/etc"

also by default you should set these:

safe_mode = On
open_basedir = "/var/www/vhosts/<domain>/httpdocs:/var/www/vhosts/<domain>/tmp"

disable_functions = dl , exec , furl_open , passthru , pfsockopen , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_kill , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source

upload_tmp_dir = "/var/www/vhosts/<domain>/tmp"


You also need to create the two directories and set permissiosn
mkdir -p /var/www/vhosts/<domain>/tmp
mkdir -p /var/www/vhosts/<domain>/etc
chmod 777 /var/www/vhosts/<domain>/tmp
chmod 644 /var/www/vhosts/<domain>/etc

after creating the vhost.conf you should do
/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain>

Then you can create an event handler that will check for physical hosting created/modified that will set the php.ini values for safe mode based on the check box becuase you want it to be on for every one unless they specifically need it off, instead of off unless they need it on, becuase then no one would turn it on.

You can use also Power Toys for configure domains for mod_suphp.

yes, but if you use a properly written installer, or install it by hand, and then setup an event handler that will look at "physical hosting created" and "physical hosting modified" you can then use those events to determine if they have php and safe mode enabled, and if so set the vhost.conf options

Then you dont need to spend any money to get the same functionality :)

@ HostingGuy

Can you give me a hint how to create a event handler that will look at "physical hosting created"


Thx

bigtank

This assumes that you have a php.ini file that is ready to be copied to each user, and is already preconfigured at /etc/suphp-php.ini, or what ever you want to call it.

Each thing that is "preconfigured" should be setup in the way of

#grep DOMAIN_NAME /etc/suphp-php.ini

open_basedir ="/var/www/vhosts/DOMAIN_NAME/httpdocs:/var/www/vhosts/DOMAIN_NAME/tmp"
doc_root = /var/www/vhosts/DOMAIN_NAME/httpdocs
upload_tmp_dir = "/var/www/vhosts/DOMAIN_NAME/tmp"
session.save_path = "/var/www/vhosts/DOMAIN_NAME/tmp"


The script will automatically replace DOMAIN_NAME with the real value when it copies the php.ini file to the domain. if you use a different VHOSTROOT it will also update that.


Something similar to this - this specifically may not work for you, but its a good starting point.

#!/bin/bash

PHPINI="/etc/suphp-php.ini"
VHOSTROOT="/var/www/vhosts"

#if the NEW_DOMAIN_NAME (folder) in the vhost root has a conf sub directory then
# its a NEW_DOMAIN_NAME name, and not folders like chroot, default, etc.

MYSQL_PW=`cat /etc/psa/.psa.shadow`
MYSQL_RUN="mysql -N -B -uadmin -p$MYSQL_PW psa"

#Build MySQL Query for getting php and php safe mode statuses
MYSQL_QUERY="select php, php_safe_mode from hosting where dom_id=(select id from domains where name='$NEW_DOMAIN_NAME');"

#Get the query results, and format
QUERY_RESULTS=`echo "$MYSQL_QUERY"|$MYSQL_RUN | awk '{print $1,$2}'`

#Get individual results
PHP_ENABLED=`echo $QUERY_RESULTS | awk '{print $1}'`
SAFE_MODE=`echo $QUERY_RESULTS | awk '{print $2}'`

#if PHP is enabled, then we will tell vhost.conf to include the suphp.conf file - otherwise we dont care
if [ "$PHP_ENABLED" == "true" ]; then

# if vhost.conf exists
if [ -f $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf ]; then

# if suphp.conf exists then they had php
if ! grep -q suphp.conf /var/www/vhosts/$NEW_DOMAIN_NAME/conf/vhost.conf ; then
echo "Include $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf" >> $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf
fi

# if vhost.conf doesnt exist
else
echo "Include $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf" > $VHOSTROOT/$NEW_DOMAIN_NAME/conf/vhost.conf
fi
fi

#Make the directories for the client
mkdir -p $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
mkdir -p $VHOSTROOT/$NEW_DOMAIN_NAME/etc

#copy over a php.ini file if they dont already have one
if [ ! -f $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini ]; then
#They dont have one, lets give them one
cp -f --reply=yes $PHPINI $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini >/dev/null 2>&1
fi

# Replace NEW_DOMAIN_NAME_NAME in the php file
# This should be preconfigured so that you just have to replace
# the text above with the new NEW_DOMAIN_NAME names
perl -pi -e "s/DOMAIN_NAME/$NEW_DOMAIN_NAME/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini

#If there is an Old domain name, make sure its nto the same, and has a value other wise it will
#replace all characters in the php file, and that is no good.
if [ "$OLD_DOMAIN_NAME" != "" ]; then
if [ "$OLD_DOMAIN_NAME" != "$NEW_DOMAIN_NAME" ]; then
perl -pi -e "s/$OLD_DOMAIN_NAME/$NEW_DOMAIN_NAME/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi
fi

#in case vhost root is not default or is changed with out updating php.ini
if [ "/var/www/vhosts" != "$VHOSTROOT" ]; then
perl -pi -e "s@/var/www/vhosts@$VHOSTROOT@gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi

#Turn OFF allow_url_fopen
perl -pi -e "s/allow_url_fopen = On/allow_url_fopen = Off/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini

if [ "$SAFE_MODE" == "false" ]; then
#Turn OFF safe mode
perl -pi -e "s/safe_mode = on/safe_mode = off/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi

if [ "$SAFE_MODE" == "true" ]; then
#Turn ON safe mode
perl -pi -e "s/safe_mode = off/safe_mode = on/gi" $VHOSTROOT/$NEW_DOMAIN_NAME/etc/php.ini
fi

#Get the user and group for suphp file
SUPHP_USER=`ls -la $VHOSTROOT/$NEW_DOMAIN_NAME/ | grep httpdocs | awk '{print $3}'`
SUPHP_GROUP=`ls -la $VHOSTROOT/$NEW_DOMAIN_NAME/ | grep httpdocs | awk '{print $4}'`
FILE_GROUP="psacln"

#Set permissions on them all too
chown -R $SUPHP_USER:$FILE_GROUP $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
chown -R root:root $VHOSTROOT/$NEW_DOMAIN_NAME/etc
chmod -R 770 $VHOSTROOT/$NEW_DOMAIN_NAME/tmp
chmod -R 755 $VHOSTROOT/$NEW_DOMAIN_NAME/etc

for FOLDER in `ls $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs | grep -v plesk-stat`;
do chown -R $SUPHP_USER:$FILE_GROUP $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs/$FOLDER;
done

#remove any pre-existing suphp.conf
rm -Rf $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf
echo "
<Directory $VHOSTROOT/$NEW_DOMAIN_NAME/httpdocs>
php_admin_flag engine Off
suPHP_Engine on
suPHP_UserGroup $SUPHP_USER $FILE_GROUP
#vhost php.ini
suPHP_ConfigPath \"$VHOSTROOT/$NEW_DOMAIN_NAME/etc\"
AddHandler x-httpd-php .php
suPHP_AddHandler x-httpd-php
</Directory>" > $VHOSTROOT/$NEW_DOMAIN_NAME/conf/suphp.conf

/usr/local/psa/admin/bin/websrvmng -u --vhost-name=$NEW_DOMAIN_NAME

I think the best way is to globally set suphp and exclude the webmail. If you don't do that and you allow creations of subdomains then those will not be protected.

suphp should come with plesk. It's not that hard to integrate.

Is not a good way to enable globally, because a lot of domains can be affected, especially if old domains used 777 or other chmod or uploaded files as apache. They will get an error later.
The best way is to disable globally and enable per domain in vhost.conf.

Hello. I am setting up a new server, and I want suphp enabled for each domain, without having to setup a new vhost.conf for each new domain. Any ideas?

One idea would be to read the posts about this topic that will tell you how to do what you asked - some of which are already in this thread.

If you're talking about the script above, it's nice, but it's not what I'm looking for. I would like to have the apache config needed for mod_suphp included in either the httpd.include for the domain in question, or somewhere in a global config in /etc/httpd/. I don't see that anywhere in this thread ... am I missing something? I found this thread in the first place by searching for the text 'mod_suphp'.

Thats not really possible becuase each domain will need its own custom settings, and httpd.include will get overwritten frequently so anything you add in there will get deleted.

There really is no good way to do it with out using vhost.conf (which is what that file is for) - anything that you would put into the httpd.include file for the odmain should go into vhost.conf instead.

And to enable it globally will not allow users change their own php.ini
Actually you can enable globally as I think in /etc/httpd/conf.d/mod_suphp.conf put all the things, but could be a very wrong way.