Jump to content

Archived

This topic is now archived and is closed to further replies.

edsawkins

Configuring apache

Recommended Posts

I have recently moved from a shared server to my own dedicated server.

 

Im a bit confused about how to set apache correctly so that I dont need 777 permissions on certain folders, and some of the addons like sitemonitor can write their data files. Im running the web server as one user - and the files/folders are owned by a different user.

 

Do I need to use something like suPHP - i have heard that can impact performance. Anyone got any view or suggestions?

 

Cheers,

 

Ed

Share this post


Link to post
Share on other sites

Yes, suPHP would be a good option. With PHP running as CGI with suPHP enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method.

Share this post


Link to post
Share on other sites

Yes, suPHP would be a good option. With PHP running as CGI with suPHP enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method.

 

I could use some help :)

 

I might be in over my head trying to install suPHP. I have a virtual dedicated server, root access, but I'm no linux guru. Are there any experts with a few moments to spare? There are some tutorials out there but they seem very specific to hosting companies. I've downloaded and unpacked, but now treading uncharted waters. I guess I could use some insight on configuration.

 

Thanks :)


--------------------------------

Justin

 

osC is awesome. Thanks everyone.

Share this post


Link to post
Share on other sites

I could use some help :)

 

I might be in over my head trying to install suPHP. I have a virtual dedicated server, root access, but I'm no linux guru. Are there any experts with a few moments to spare? There are some tutorials out there but they seem very specific to hosting companies. I've downloaded and unpacked, but now treading uncharted waters. I guess I could use some insight on configuration.

 

Thanks :)

 

I personally would steer well clear of suPHP and running PHP as a CGI if you are running a VPS .. it's sloooooooooooooooooow.

 

I would run PHP as an apache module ( DSO ) and enable APC opcode cache for speed.

 

suPHP is essential for multi account "bucket shop" hosting but imo you do not need it for a dedicated/VPS.

 

If you are worried about 0777 directories just put a .htaccess file in them containing the below: -

 

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

Share this post


Link to post
Share on other sites

Another consideration while everyone is "banging on" about you MUST use suPHP. ( taken from a post by Doug Robbins ).

 

Without suPHP

 

Without suPHP, intruders might gain write-access to all files and directories that are owned by "nobody" or are world-writable -- e.g. chmod xx6 for files or xx7 for directories.

 

With suPHP

 

Intruders might gain write-access to all files owned by the user.

 

If an exploit runs with permissions of the account owner, all files in the account are susceptible to being overwritten.

You might want to consider installing suhosin for added security.

Share this post


Link to post
Share on other sites

I personally would steer well clear of suPHP and running PHP as a CGI if you are running a VPS .. it's sloooooooooooooooooow.

 

I would run PHP as an apache module ( DSO ) and enable APC opcode cache for speed.

 

suPHP is essential for multi account "bucket shop" hosting but imo you do not need it for a dedicated/VPS.

 

If you are worried about 0777 directories just put a .htaccess file in them containing the below: -

 

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

 

Many thanks for your insight. I have read several other posts from you and others about how suPHP is slow, etc. I thought I'd test anyway and I gave up after reprovisioning my server, somehow I broke mySQL with suPHP hehe. I thought easier to reprovision than try to figure that mess out!

 

A couple questions though if you could enlighten me (us):

 

You recommend running php as an apache module. Is this a speed recommendation, or does this affect the permissions issue? I thought I saw somewhere that it is on my site, but I'd have to check. How can I find out how it is running? phpinfo?

 

I've seen some places recommending 775. Is this any better than 777? I think I tried it at one point and it didn't work anyway.

 

The .htaccess code you give, that still doesn't block someone from uploading a file, right? Just running it? I'd like to avoid loading my site one day to find all my product pictures replaced with porn ;)

 

 

For now I'm just using FTP and assigning images with oscFileBrowser. Kind of a bummer but works fine.


--------------------------------

Justin

 

osC is awesome. Thanks everyone.

Share this post


Link to post
Share on other sites

×