How-to Enable SuPHP in cPanel

SuPHP is strongly recommended by NDC Host due to the inherent security of the module. SuPHP takes PHP scripts that normally run under the user the webserver runs them (nobody) and instead runs them as the effective owner of the PHP file itself, which in most cases is the cPanel user. The advantage here is not only for security reasons, but also that permissions can be tightened on files/directories that PHP needs write/execute access to. For instance, consider a typical Joomla setup: the cache directory, among others, needs to be writable by the webserver user which by default in cPanel is “nobody”. To achieve this there are two ways:

  • The less secure: chmod the directory to 0777 to give world read/write/execute permission. VERY insecure as anyone can write anything here.
  • Slightly more secure: Set directory permissions to 0770 and the owner to user:nobody. More secure, but still allows any script run under the webserver to write to this directory.

What SuPHP allows is for the directory to remain owned by user:usergroup and tight 0750 permissions (or even 0700). Furthermore, files created through PHP (uploaded files as well) will be owned by the effective user instead of nobody as they otherwise would be. This allows users to manage/delete/rename these files themselves as a normal cPanel-level user as opposed to requiring root access, or needing a server admin to change the ownership for them.

Sound good? If so, let's get started!

Building SuPHP Support

  1. Log into the WHM. Ensure you're running the latest build else if you are not you will be prompted to upgrade when running the next step.
  2. Go to Main » Software » EasyApache (Apache Update).
  3. Leave Previously Saved Config checked and select Start Customizing Based on Profile.
  4. For security reason we recommend selecting the latest versions of Apache and PHP on the next three steps unless you have good reason to stick with an older version.
  5. Step 5 will have a screen with quite a few options on it, the one we are concerned about is the second option SuPHP. Tick the checkbox here, scroll down, and click Save and Build.
    :!: For additional security, we also recommend enabling Suhosin on this screen as well. More Info

Apache and PHP will now rebuild automatically for you, and you will not have any service downtime while this transpires. This build typically takes anywhere from 20-30 minutes to complete.

Enabling SuPHP as the Default Handler

  1. In the WHM, go to Main » Service Configuration » Apache Configuration » PHP and SuExec Configuration, and for your specific version of PHP, select 'suphp' as the default handler from the dropdown list. Click Save New Configuration and you're done!

This setting is not retroactive for any files/directories with incorrect nobody ownerships, so you'll need to log into the server as root and fix those manually. Also while you're in there you can tighten down directory permissions as described above!

Converting to suPHP Tips and Tricks

Fixing Permissions on files and folders

When converting to suPHP one of the common problems admins see is customer websites showing “internal server errors”. Many times this is caused by incorrect permissions being set on the files and directories. The below code will help correct these permission problems by setting PHP files to 0600, directories to 0711, and files/directories to the proper user.group.

cd /var/cpanel/users/
/scripts/chownpublichtmls
for i in *;do find /home/$i/public_html -iname "*.php" -exec chmod -v 600 {} \;; find /home/$i/public_html/ -type d -exec chmod -v 711 {} \;;done