PHP5 Module Setuid process
C
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
bin
src
.gitattributes
LICENSE
README
index.html

README

DESCRIPTION :
The suphp module is changing the php process UID to match the called script's UID. This is very useful in hosting environment with different users that should be isolated from each-other.

Consider using the mod_override to fill potential security risks in multi-user hosting environment.

INSTALL :
1) copy the suphp.so in your php modules directory
2) chown root the php executable
3) chmod +s the php executable
4) default configuration is :
	- enabled : true
	- min_uid : 33
	- use_effective : false
	- chown_updates : true

CONFIIGURATION :
* enabled : [boolean] whether the module is enabled or not
* min_uid : [integer] the minimim allowed UID. If trying to access a file with a lower UID, the request is aborted
* use_effective : [boolean] use seteuid/setegid instead of setuid/setgid. Warning, this has serious implications : setuid cannot come back to another UID, so for fcgi mode, you should use_effective = true. But this has serious drawback : some low level file access only recognizes the real UID, and not the EUID (this is supposed to be a feature). So if fcgi => euid else => uid !
* chown_uploads : [boolean] at the beginning of every request, the module checks for uploads, turn to root, chown the uploads to the proper UID, then only change the process UID

COMPILING :
(fast note debug)
cd src
phpize
./configure --enable-suphp CFLAGS='-g -O0 -Wall'
make
cp modules/suphp.so /usr/lib/php5/201xxx/

(to clean all)
phpize --clean