This is a set of instructions for using PHP in CGI mode to support suexec. It has been in draft status since March 2004 but has been working stably on live servers without issue for 5+ years and has been declared live. It is produced by Kevin A. McGrail (kmcgrail-phpsuexec@pccc.com). URL: http://www.peregrinehw.com/downloads/apache/current/INSTALL-PHPSUEXEC Comments welcome via the support mailing list -- http://mailman.pccc.com/mailman/listinfo.cgi/downloads Synopsis: You can run PHP files as CGI's rather than as part of an Apache module to use Apache's suexec facility to keep programs running as a user. This provides one more level of security for virtual hosting servers. REALLY IMPORTANT NOTE: Apache must be compiled with suexec capabilities AND php has to be compiled in SAPI CGI mode. There are two different modes for the PHP program to be installed as. The first is CLI and this mode is intended for making general server applications. The second is CGI and this mode is intended for web server applications. However, I wanted both the apache module AND the cgi version. So, after following the instructions at http://www.peregrinehw.com/downloads/apache/current/ to install Apache/PHP/mySQL/modSSL/modPerl, I enabled CGI PHP by running the configure for PHP over again without the --with-apache for Apache 1.X or --with-apxs2 for Apache 2.X. I then did a make and a make install which installed the SAPI CGI version of PHP in /usr/local/bin/php. I would love to know how to configure PHP to install the module AND the cgi version of PHP instead of the cli version. You can find out what version of the SAPI you have by checking the output of /usr/local/bin/php -v. For Example: PHP 4.3.4 (cgi) (built: Mar 18 2004 01:53:09) Copyright (c) 1997-2003 The PHP Group Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies NOTE: If you are using PHP 5.2.3 or later, you will get a php-cgi instead of the cli version being replaced. OK, so assuming you have Apache compiled with suexec and you have the CGI version of php, now you can either make every single user modify the PHP files and add something like: #!/usr/local/bin/php to the top of their PHP files or you can use binfmt_misc to identify what interpreter to run for a file. First, you must compile Kernel support for binfmt_misc or load the module. Unfortunately, exact notes about how to do this are beyond the scope of this document. However, If you are using the module, don't forget to use a /etc/rc.d/rc.modules file to reload the binfmt_misc module when you reboot. Next, add this line to /etc/fstab none /proc/sys/fs/binfmt_misc binfmt_misc defaults 0 0 Now, mount it with this command: mount /proc/sys/fs/binfmt_misc Fifth, add the command to process the files in reverse order (later entries are processed first!) with this command (Based on information from Ian P. Christian , thanks!): cd /proc/sys/fs/binfmt_misc echo ':PHP3:E::php3::/usr/local/bin/php:' > register echo ':PHP4:E::php4::/usr/local/bin/php:' > register echo ':PHP:E::php::/usr/local/bin/php:' > register If you make a mistake, you remove an entry by echoing -1 to it, i.e.: echo -1 > /proc/sys/fs/binfmt_misc/PHP NOTE: for PHP 5.2.3 or later, use php-cgi instead of php cd /proc/sys/fs/binfmt_misc echo ':PHP3:E::php3::/usr/local/bin/php-cgi:' > register echo ':PHP4:E::php4::/usr/local/bin/php-cgi:' > register echo ':PHP5:E::php4::/usr/local/bin/php-cgi:' > register echo ':PHP:E::php::/usr/local/bin/php-cgi:' > register Sixth, try creating and running a simple php file: echo '' > /tmp/testcgi.php chmod +x /tmp/testcgi.php ./tmp/testcgi.php If the tests are successful, don't forget to modify /etc/rc.d/rc.local so this will happen each time you reboot the server! Finally, if you want to use PHP scripts on your website, you will need to make sure they are executable with chmod +x! You also might need to modify your php.ini file to set the cgi.force_redirect directive to 0. Because we installed both CGI and module mode, we can configure apache to allow PHP in module or CGI mode on a case by case basis. First, let's enable CGI mode by default. Edit your /usr/local/apache/conf/httpd.conf. Comment out any AddType lines for PHP Add this line instead: AddHandler cgi-script .php .php3 .php4 .php5 Then enable suexec on a virtualhost by adding a user and group definition: User phw Group phw Such as: # ServerAdmin root@peregrinehw.com DocumentRoot /htdocs/secure.peregrinehw.com/html ServerName secure.peregrinehw.com ErrorLog var/log/secure.peregrinehw.com-error_log CustomLog var/log/secure.peregrinehw.com-access_log combined env=!ban User phw Group phw Now, you might want to disable PHP in CGI w/suexec mode. For example, PHPMyAdmin doesn't seem to work with PHP in CGI w/suexec mode. So, you can add something such as: Options Includes ExecCGI FollowSymLinks RemoveHandler cgi-script .php .php3 .php4 AddType application/x-httpd-php .php If you have problems, check the virtual hosts error log, the primary error log AND the suexec.log!