How to protect/secure php.ini with SuPHP?

When Apache is compiled as CGI/SuPHP, it allows users to create their own php.ini file under their home directory and modify the php values as per their wish.

This may increase security concerns on the server and hence to protect/secure php.ini in SuPHP enabled servers, force every user to use a common php.ini file.

This can be achieved by defining the path of server side php.ini file using suPHP_ConfigPath directive. To force users to use server side php.ini file, create suphp_configpath.conf

# pico /usr/local/apache/conf/userdata/suphp_configpath.conf

and add the following lines

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib/
</Location>
</IfModule>

Once done, save the file and rebuild the Apache configuration so it picks up the changes.

# /usr/local/cpanel/bin/apache_conf_distiller --update --main
# /usr/local/cpanel/bin/build_apache_conf

To verify the include files, execute:

# /scripts/verify_vhost_includes

It will display the path of the .conf file you created. Restart the Apache service once

# /scripts/restartsrv httpd

This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.

This entry was posted on Friday, May 7th, 2010 and is filed under cPanel Management. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.