ITS Web Resources
Secure PHP Pages with SUPHP
Creating secure websites with PHP requires attention to detail and some understanding of the possible risks. SUPHP is one tool to make it easier for Web developers on ITS-managed systems to secure their sites.
For PHP applications to access MySQL databases or upload (write) files to site folder(s), the file and/or directory access permissions almost always need to be set open enough for the application to do its work. Unfortunately, this also allows any user with access to the Web server to read and/or modify files. Website vandals take advantage of this exploit to modify both the user's own website and other sites on the same server.
With SUPHP, the file permissions can then be set so that only the user can read the file, and the SUPHP page can write in any location where the owner can write.
Note: If you need a generalized CGI solution for your web pages please see our SUCGI page.
Get Started with SUPHP
- Replace the
.phpfile extension with the
- Make sure the file owner id matches your computing ID.
- Set file permission(s) to allow read access only by you (e.g.,
chmod 600 filename.suphp).
Note: If you're using a package downloaded from the Internet, you will need to analyze the files
provided. Rename files as mentioned above, and then go through all of the remaining code to replace
filename.php with references to
If renaming with
.suphp file extension is not possible, you can modify the way the Web
server handles all files in your directory with the
.php file extension by adding the following
.htaccess file in the directory:
AddHandler su-php-script .php
The other requirements of SUPHP still apply. Note that using this means that all PHP programs anywhere under this directory will now run as CGI through the SUPHP interface.
- The PHP script must be valid PHP 5. The suphp module runs PHP 5 rather than the standard PHP on the server (on most ITS maintained machines the standard PHP is version 4).
- The PHP file must have the
.suphpextension unless using the
AddHandlerdirective described above.
- The file must be saved in the standard Web server document areas:
/www/doc_ssl/, the user's public_html directory, or sub-directories within these locations.
- The reference cannot be made via a symbolic link to the file.
- The file must have owner permission to read set (e.g.,
chmod u+r filename.suphpor
chmod 400 filename.suphp).
- The file can allow writing by the owner and the owner's group subject to limitations below.
- The directory containing the file can be writeable by the owner and the group, but not by any other users.
- The file itself and the directory it is in must have matching group ownership. (When accessed by the Web server, the file will be run using the user and group ownership of the file). The user id that owns the file may or may not be the same as the id that owns the directory, but both must belong to the group that owns the file and directory.
- The file must not have UNIX file permissions set to force the user id or group id when run.
The user id and group id of the files and directories need to meet additional restrictions:
- The user id must be a member of the group id used.
- The user id cannot be in the list of administrative ids (those which have a numerical version of the id less than 500).
- The group id cannot be in the list of administrative groups (those with have a numerical version of the id less than 100.
idcommand on a UNIX host will give you the numeric versions of your [owner] ID and the numeric ids for groups to which you belong.
Managing Access Permissions and Ownership
- Permissions (read/write/execute) can be changed from the Home Directory Administrative Interface.
- User ownership can only be changed by the system administrator or by removing files and having the correct owner create them.
- Group ownership can be changed with the
chgrpcommand when logged into a UNIX server.
- If your standard UNIX group is usr (which is common for many users), you will need to create a new group with MyGroups. Add yourself as a member to that group.
Moving PHP Configuration out of .htaccess Files
SUPHP does not see PHP configurations in .htaccess files, such as
You need to move these into the PHP script itself, using the PHP
ini_set() function. For example,
php_flag register_globals Onin .htaccess to
ini_set("register_globals", "On");in your PHP script.
php_value include_path "dir1:dir2"in .htaccess to
ini_set("include_path", "dir1:dir2");in your PHP script.
Using SUPHP with NetBadge Authentication
If your SUPHP script is authenticated by NetBadge,
then the user will be required to login, but your SUPHP script will not
receive the user name in
$_SERVER['REMOTE_USER']. This happens because your script is run
with unauthenticated SUPHP, which is the default. To fix this problem, you must put these lines in
your .htaccess file to use NetBadge authenticated SUPHP.
Action su-php-script /server-cgi/netbadge/suphp PubcookieAppId sunetbadge
(Remove any other PubcookieAppId lines.)