How to protect/secure php.ini with SuPHP?
May 7, 2010 | Posted byWhen Apache is compiled as CGI/SuPHP, it allows users to create their own php.ini file under their home directory and modify the php values as per their wish.
This may increase security concerns on the server and hence to protect/secure php.ini in SuPHP enabled servers, force every user to use a common php.ini file.
This can be achieved by defining the path of server side php.ini file using suPHP_ConfigPath directive. To force users to use server side php.ini file, create suphp_configpath.conf
# pico /usr/local/apache/conf/userdata/suphp_configpath.conf
and add the following lines
<IfModule mod_suphp.c> <Location /> suPHP_ConfigPath /usr/local/lib/ </Location> </IfModule>
Once done, save the file and rebuild the Apache configuration so it picks up the changes.
# /usr/local/cpanel/bin/apache_conf_distiller --update --main # /usr/local/cpanel/bin/build_apache_conf
To verify the include files, execute:
# /scripts/verify_vhost_includes
It will display the path of the .conf file you created. Restart the Apache service once
# /scripts/restartsrv httpd
This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.