DSO to SuPHP permissions problems and how to fix them

SuPHP is a CGI based handler for PHP, usually run using the suEXEC apache feature. This means that your PHP scripts are run using your linux user account’s privileges, but everything else is usually accessed using Apache’s anonymous account – usually called nobody

Running PHP as DSO Apache module on the other hand runs both your PHP scripts and normal files using Apache’s anonymous nobody user.

DSO is generally not used by hosting companies as it presents a number of security issues. Of course, SuPHP isn’t perfect either, but on balance SuPHP offer a more robust way of separating users’ accounts. SuPHP is now quite an old project and is no longer being actively developed (as of 2014). However, it is still popular with many hosting companies.

Most people run into the major differences between these two systems when they migrate from a DSO based host to an SuPHP or FastCGI host (FastCGI is similar to SuPHP in terms of permissions and ownership and is rapidly replacing it). Without correcting permissions and ownerships on files and directories, your website isn’t going to run.

Fixing SuPHP permissions problems from DSO to SuPHP

Under DSO, files and directories are usually owned by your user account and belong to the nobody group. Under SuPHP both your files and directories are owned by the user account AND belong to the user account’s group.

Therefore for Apache to read a file it is necessary to make the file readable by the anonymous nobody account. The same goes for directories (which also need to be executable). Therefore under SuPHP, normal files should be chmod 644 and directories should be chmod 755.

However, we don’t want the nobody user to be able to see our PHP files. This is fine, because under SuPHP, PHP files are accessed using the user account’s privileges. Therefore PHP files can and should be chmod 600 (but 640 or 660 is acceptable, although not quite as secure) because we only need to provide read/write permissions to the user – the group and the world don’t matter.

SuPHP will protect against making PHP files which are world readable, or group read/writable by refusing to run your script at all.

Therefore moving from a hosting provider that runs PHP as DSO to one that uses SuPHP can require a little corrective work to your file and directory permissions, but these problems are easily fixed by running these shell commands one after the other from the root directory of your website.

This will set all of your PHP files to chmod 600, any other files to chmod 644, and all of your directories to chmod 755. These are the correct permissions for SuPHP.

, ,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.