{"id":514,"date":"2011-01-12T19:00:04","date_gmt":"2011-01-12T17:00:04","guid":{"rendered":"http:\/\/www.shukko.com\/x3\/?p=514"},"modified":"2011-01-12T19:00:13","modified_gmt":"2011-01-12T17:00:13","slug":"howto-php-5-cli-to-php-5-cgi-suphp-directadmin","status":"publish","type":"post","link":"https:\/\/www.shukko.com\/x3\/2011\/01\/12\/howto-php-5-cli-to-php-5-cgi-suphp-directadmin\/","title":{"rendered":"HOWTO: PHP 5 CLI to PHP 5 CGI + suPHP Directadmin"},"content":{"rendered":"
Orjinal Link: http:\/\/www.directadmin.com\/forum\/showthread.php?t=29483&highlight=howto+cgi<\/div>\n
HOWTO: PHP 5 CLI to PHP 5 CGI + suPHP<\/strong><\/div>\n
\n
I recently decided to switch from using PHP CLI to CGI mode with suPHP. Here are the steps I followed to ensure everything was working. Let me know if you spot any flaws or know of a better way of doing this.<\/p>\n

NOTE: I am continually updating this post. It is safe to assume that all posts which mention improvements\/security fixes have been included where relevant if they were posted before the last time this post was edited. (See bottom of this post for timestamp)<\/p>\n

Ok, lets get started..<\/p>\n

suPHP doesn’t allow the use of php_flag and php_value in .htaccess files, so find users with these setup and deal with them (or their sites will throw a 500 error)<\/p>\n

\n
Code:<\/div>\n
find \/home\/*\/domains\/*\/public_html -name \".htaccess\" | xargs grep \"php_\"<\/pre>\n<\/div>\n
Once you have dealt with those sites, suPHP should be good to go..<\/p>\n
Edit the custombuild options file to use PHP in CGI mode<\/p>\n
\n
Code:<\/div>\n
cd \/usr\/local\/directadmin\/custombuild\r\n.\/build update\r\n.\/build clean\r\nnano options.conf<\/pre>\n<\/div>\n
and change<\/p>\n
\n
Code:<\/div>\n
php5_cli=yes\r\nphp5_cgi=no<\/pre>\n<\/div>\n
to<\/p>\n
\n
Code:<\/div>\n
php5_cli=no\r\nphp5_cgi=yes<\/pre>\n<\/div>\n
If you need a custom config of PHP or suPHP then you can find which config files to change using:<\/p>\n
\n
Code:<\/div>\n
.\/build used_configs<\/pre>\n<\/div>\n
Now we can build PHP<\/p>\n
\n
Code:<\/div>\n
.\/build php<\/pre>\n<\/div>\n
Ensure the new php.ini is correct.. the old one was located at \/usr\/local\/lib\/php.ini<\/p>\n
\n
Code:<\/div>\n
nano \/usr\/local\/etc\/php5\/cgi\/php.ini<\/pre>\n<\/div>\n
It might be worth using custombuild to secure php some more. Using  secure_php disables register_globals and adds some potentially  vulnerable functions to the disable_functions list in the main php.ini  file. These can be overridden on an individual basis per user if need be  in their individual php.ini files<\/p>\n
\n
Code:<\/div>\n
.\/build secure_php<\/pre>\n<\/div>\n
We need to reset ownership of files as suPHP won’t allow access to ones owned by apache (they way the CLI version of PHP works)<\/p>\n
\n
Code:<\/div>\n
ls -l \/home | grep '^d' | awk '{system(\"chown -R \" $3 \":\" $4 \" \/home\/\" $9 \"\/domains\")}'<\/pre>\n<\/div>\n
Sessions will also have wrong ownership or now be corrupt so remove those<\/p>\n
\n
Code:<\/div>\n
rm -f \/tmp\/sess_*<\/pre>\n<\/div>\n
Sites which have files or directories with global write access  will also cause suPHP to throw an error, therefore change all files to  644 and directories to 755<\/p>\n
\n
Code:<\/div>\n
find \/home\/*\/domains\/*\/public_html -type f -exec chmod 0644 {} \\; -print\r\nfind \/home\/*\/domains\/*\/private_html -type f -exec chmod 0644 {} \\; -print\r\nfind \/home\/*\/domains\/*\/public_html -type d -exec chmod 0755 {} \\; -print\r\nfind \/home\/*\/domains\/*\/private_html -type d -exec chmod 0755 {} \\; -print<\/pre>\n<\/div>\n
perl and cgi scripts need execute permissions though<\/p>\n
\n
Code:<\/div>\n
find \/home\/*\/domains\/*\/public_html -name \"*.pl\" -exec chmod 0744 {} \\; -print\r\nfind \/home\/*\/domains\/*\/private_html -name \"*.pl\" -exec chmod 0744 {} \\; -print\r\nfind \/home\/*\/domains\/*\/public_html -name \"*.cgi\" -exec chmod 0744 {} \\; -print\r\nfind \/home\/*\/domains\/*\/private_html -name \"*.cgi\" -exec chmod 0744 {} \\; -print<\/pre>\n<\/div>\n
Make sure webmail and phpMyAdmin work by resetting their ownership and permissions also<\/p>\n
\n
Code:<\/div>\n
chown -R webapps:webapps \/var\/www\/html\r\nfind \/var\/www\/html -type f -exec chmod 0644 {} \\; -print\r\nfind \/var\/www\/html -type d -exec chmod 0755 {} \\; -print\r\nfind \/var\/www\/html -name \"*.pl\" -exec chmod 0744 {} \\; -print\r\nfind \/var\/www\/html -name \"*.cgi\" -exec chmod 0744 {} \\; -print<\/pre>\n<\/div>\n
Now lets enable open_basedir per user, and create user’s own tmp  directories to make the server more secure. (I realize that I have done  this on a per user basis rather than per domain, it should be straight  forward to change if you do want it per domain)<\/p>\n
automate creation of per user php.ini for new users (make sure the chown refers to your DirectAdmin user)<\/p>\n
\n
Code:<\/div>\n
touch \/usr\/local\/directadmin\/scripts\/custom\/user_create_post.sh\r\nchmod 755 \/usr\/local\/directadmin\/scripts\/custom\/user_create_post.sh\r\nchown diradmin:diradmin \/usr\/local\/directadmin\/scripts\/custom\/user_create_post.sh\r\nnano \/usr\/local\/directadmin\/scripts\/custom\/user_create_post.sh<\/pre>\n<\/div>\n
use the following shell script:<\/p>\n
\n
Code:<\/div>\n
#!\/bin\/sh\r\n\r\nmkdir \/usr\/local\/directadmin\/data\/users\/$username\/php\/\r\nchown $username:$username \/usr\/local\/directadmin\/data\/users\/$username\/php\/\r\ntouch \/usr\/local\/directadmin\/data\/users\/$username\/php\/php.ini\r\necho \"open_basedir = \/home\/$username\/:\/tmp\/\" >> \/usr\/local\/directadmin\/data\/users\/$username\/php\/php.ini\r\nchown root:root \/usr\/local\/directadmin\/data\/users\/$username\/php\/php.ini\r\nchattr +i \/usr\/local\/directadmin\/data\/users\/$username\/php\/\r\n\r\nexit 0;<\/pre>\n<\/div>\n
note that in the above script you may need to alter the  open_basedir setting to add allowed paths (e.g. PHP’s pear modules  \/usr\/local\/php5\/lib\/php) depending on your server setup<\/p>\n
in order to remove the user completely we need to release the chattr +i  on the php.ini config directory first (make sure the chown refers to  your DirectAdmin user)<\/p>\n
\n
Code:<\/div>\n
touch \/usr\/local\/directadmin\/scripts\/custom\/user_destroy_pre.sh\r\nchmod 755 \/usr\/local\/directadmin\/scripts\/custom\/user_destroy_pre.sh\r\nchown diradmin:diradmin \/usr\/local\/directadmin\/scripts\/custom\/user_destroy_pre.sh\r\nnano \/usr\/local\/directadmin\/scripts\/custom\/user_destroy_pre.sh<\/pre>\n<\/div>\n
use the following shell script:<\/p>\n
\n
Code:<\/div>\n
#!\/bin\/sh\r\n\r\nchattr -i \/usr\/local\/directadmin\/data\/users\/$username\/php\/\r\n\r\nexit 0;<\/pre>\n<\/div>\n
create php.ini files for current users<\/p>\n
\n
Code:<\/div>\n
ls -l \/home | grep '^d' | awk '{system(\"username=\"$3\" \/usr\/local\/directadmin\/scripts\/custom\/user_create_post.sh\")}'<\/pre>\n<\/div>\n
copy VirtualHost templates to custom directory so they are not overwritten when DirectAdmin updates<\/p>\n
\n
Code:<\/div>\n
cp \/usr\/local\/directadmin\/data\/templates\/virtual_host2* \/usr\/local\/directadmin\/data\/templates\/custom\/<\/pre>\n<\/div>\n
change VirtualHost containers to look for php.ini override<\/p>\n
\n
Code:<\/div>\n
nano \/usr\/local\/directadmin\/data\/templates\/custom\/virtual_host2.conf\r\nnano \/usr\/local\/directadmin\/data\/templates\/custom\/virtual_host2_sub.conf\r\nnano \/usr\/local\/directadmin\/data\/templates\/custom\/virtual_host2_secure.conf\r\nnano \/usr\/local\/directadmin\/data\/templates\/custom\/virtual_host2_secure_sub.conf<\/pre>\n<\/div>\n
add this after the ErrorLog<\/p>\n
\n
Code:<\/div>\n
|*if SUPHP=\"1\"|\r\n        SetEnv PHP_INI_SCAN_DIR \/usr\/local\/directadmin\/data\/users\/|USER|\/php\/\r\n|*endif|<\/pre>\n<\/div>\n
rewrite httpd configs for current users<\/p>\n
\n
Code:<\/div>\n
echo \"action=rewrite&value=httpd\" >> \/usr\/local\/directadmin\/data\/task.queue<\/pre>\n<\/div>\n
To make sure webmail and phpMyAdmin work, set open_basedir in the global php.ini which will apply to webapps.<\/p>\n
\n
Code:<\/div>\n
nano \/usr\/local\/etc\/php5\/cgi\/php.ini<\/pre>\n<\/div>\n
find the open_basedir line and change to:<\/p>\n
\n
Code:<\/div>\n
open_basedir = \/var\/www\/html\/:\/tmp\/<\/pre>\n<\/div>\n
Then change the httpd.conf file to make sure the php.ini file isn’t overridden by user’s specific php.ini files:<\/p>\n
\n
Code:<\/div>\n
nano \/etc\/httpd\/conf\/httpd.conf<\/pre>\n<\/div>\n
find the <IfModule mod_suphp.c> section within the <Directory “\/var\/www\/html”> block and change to:<\/p>\n
\n
Code:<\/div>\n
   <IfModule mod_suphp.c>\r\n        suPHP_Engine On\r\n        suPHP_UserGroup webapps webapps\r\n        SetEnv PHP_INI_SCAN_DIR\r\n   <\/IfModule><\/pre>\n<\/div>\n
That should be the lot, make sure Apache is restarted.<\/p>\n
\n
Code:<\/div>\n
service httpd restart<\/pre>\n<\/div>\n
Hopefully everything is working!<\/p>\n
Notes
\n—–<\/p>\n
If a customer wants to use cronjobs they need to add the php.ini in the cron command:<\/p>\n
\n
Code:<\/div>\n
\/usr\/local\/bin\/php -c \/usr\/local\/directadmin\/data\/users\/accountname\/php\/php.ini \/home\/accountname\/domains\/domainname\/public_html\/filetocron.php<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Orjinal Link: http:\/\/www.directadmin.com\/forum\/showthread.php?t=29483&highlight=howto+cgi HOWTO: PHP 5 CLI to PHP 5 CGI + suPHP I recently decided to switch from using PHP CLI to CGI mode with suPHP. Here are the steps I followed to ensure everything was working. Let me know if you spot any flaws or know of a better way of doing this. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-514","post","type-post","status-publish","format-standard","hentry","category-kategerisiz"],"_links":{"self":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/comments?post=514"}],"version-history":[{"count":2,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/514\/revisions"}],"predecessor-version":[{"id":516,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/514\/revisions\/516"}],"wp:attachment":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/media?parent=514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/categories?post=514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/tags?post=514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}