使用APT安装suphp,结果不能使用suPHP_UserGroup
apt-get install libapache2-mod-suphp
错误如下:
Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration
原因是apt的软件包不支持suPHP_UserGroup,所以需要从源码安装suphp。搜索了一下午就没一个正确的结果,终于在一篇英文资料上找到了。原文在文末,这里简要的说下如何安装。
原文地址:http://kb.acenet.us/LAMP_Server_Installation_Guide_on_Debian_6_(Squeeze)
英文内容如下:
If you have properly pointed the DNS for your domain, you should now be able to visit your website in a browser and have your content served from your new Debian LAMP server.
Install suPHP
After getting your site up and running, we generally advise that suPHP be enabled for additional security.
suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter. suPHP helps increase the security of your server. With scripts run as the owner, abusive processes can more easily be tracked back to a given user. Stricter script permissions are enforced since scripts are no longer run as the apache user.
We’ll now show you how to install suPHP on your Debian 6 server with the package manually compiled from source. suPHP has three different modes of operation which must be specified at compile time:
owner: Run scripts with owner UID/GID
force: Run scripts with UID/GID specified in Apache configuration
paranoid: Run scripts with owner UID/GID but also check if they match the UID/GID specified in the Apache configuration
The suPHP documentation states:
"The default is "paranoid" mode. You should *NEVER* use "force" mode as it is very dangerous.
While "owner" mode is not as dangerous as "force" mode its use is disadvised and
"paranoid" mode should be preferred."
In this guide we manually compile suPHP, but there is a pre-built package available for apt-get. This package is libapache2-mod-suphp.
Although suPHP states that the default mode is “paranoid”, the libapache2-mod-suphp is installed in “owner” mode by default. When suPHP is installed in “owner” mode, the directive suPHP_UserGroup is not recognized which is required for “force” or “paranoid” mode. When attempting to use the suPHP_UserGroup directive with suPHP in “owner” mode, you will encounter this error while restarting apache2:
Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration
For this reason, we opt to install suPHP directly from source rather than use the pre-compile Debian package.
Install suPHP Prerequisites
apt-get install apache2-prefork-dev make gcc g++ php5-cgi wget
Disable PHP5
We’re changing the interpretter that handles PHP scripts. We’ll need to disable PHP5.
a2dismod php5
Installation
Download suPHP
Get the suPHP source. The current version is 0.7.1.
cd /
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar -zxf suphp-0.7.1.tar.gz
cd suphp-0.7.1
Compile suPHP
This will configure suPHP to use /etc as the configuration directory and set the mode to “paranoid”.
./configure --prefix=/usr --sysconfdir=/etc --with-apache-user=www-data --with-setid-mode=paranoid --with-apxs=/usr/bin/apxs2 make make install
Copy the suphp.conf file
The suPHP package comes with an example suphp.conf file. We’re going to copy this to /etc.
cp /suphp-0.7.1/doc/suphp.conf-example /etc/suphp.conf
Clean up our installation files
rm -rf /suphp-0.7.1 rm -rf /suphp-0.7.1.tar.gz
Configuring suphp.conf
Let’s modify /etc/suphp.conf for our server environment. Open the config file in your favorite editor. Throughout the course of this guide, we’ll use nano.
nano /etc/suphp.conf
Change the line:
webserver_user=wwwrun
to:
webserver_user=www-data
Change the line:
x-httpd-php="php:/usr/bin/php"
to:
application/x-httpd-suphp="php:/usr/bin/php-cgi"
Loading suPHP in apache2
suphp.load
Create a suphp.load file for apache2
nano /etc/apache2/mods-available/suphp.load
Place this line in the file and save:
LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so
apache2 suPHP config file
Create an apache2 conf file for suPHP:
nano /etc/apache2/mods-available/suphp.conf
Place these lines in the file and save.
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml suPHP_AddHandler application/x-httpd-suphp suPHP_Engine on # By default, disable suPHP for debian packaged web applications as files # are owned by root and cannot be executed by suPHP because of min_uid. suPHP_Engine off # # Use a specific php config file (a dir which contains a php.ini file) # suPHP_ConfigPath /etc/php4/cgi/suphp/ # # Tells mod_suphp NOT to handle requests with the type. # suPHP_RemoveHandler
Enable suPHP in apache2
a2enmod suphp
We now need to edit our site’s VirtualHost entry to include the suPHP_UserGroup directive. Continuing from our previous guide, our site is called mywebsite.example.com. Our username is ‘mywebsite’. We’re going to edit the appropriate apache2 Virtual Host file:
nano /etc/apache2/sites-available/mywebsite.example.com
Within this file, before the closing tag at the bottom, add these lines:
suPHP_UserGroup mywebsite mywebsite
Restart Apache
service apache2 restart
At this point, suPHP is enabled and active. Let’s create a test php file in our directory to ensure it’s working properly. Again, we’re going to use the document root as described in our LAMP setup tutorial.
Testing suPHP
Create the PHP file for testing
nano /home/mywebsite/public_html/index.php
Enter this line and save:
< ?php echo 'whoim = '.exec('/usr/bin/whoami');?>
chown the file properly. We’re using the username ‘mywebsite’ in this example.
chown mywebsite.mywebsite /home/mywebsite/public_html/index.php
You should now be able to navigate to this file in a browser and see the output. In our case, we visit mywebsite.example.com and can see:
whoim = mywebsite
This shows us that the PHP script is running as the user ‘mywebsite’ instead of the Apache user ‘www-data’.
suPHP is now installed and ready for use.
最新评论