Home / server / Questions / 265915
Accepted
prodigitalson
Asked: 2011-05-04 09:02:37 +0800 CST

How do I run a PHP web application as a particular user and group on CentOS 5 with Apache?

  • 772

I'm aware there are various different ways to do this but I'm not sure that the "best" way would be for my particular situation:

  • Each site should have its own user account (site user)
  • Virtual Hosts point to a directory within the site user's home dir
  • Apache executes each site as the site user's user:group
  • CLI commands can be executed on the site as the site user
  • Various contractors are responsible for maintaining 1 or more sites, and each contractor should have his own account user account
  • Contactors will also have the account information for each site account that they mainatian. They will login in as the site user in order to maintain each site - either with ssh directly to that site account, or by logging into their contractor account and then switching users.

My first thought was using mod_fcgi since i think this is how its typically done on some of the shared server environments Ive used. I googled this set up of course but most of the guides i found were random blog posts. What I would like is something with a little more credibility (like VPS company's howto KB or a distro wiki). This way I can point the admin to it as a general guide which im sure he will adapt to how he has this particular server set up.

centos apache-2.2 mod-fcgid suexec

1 Answers

  1. Best Answer

    I doubt you'll find this neatly written up from a reliable source.

    I think the answer to your headline question is to take a look at suPHP. Unfortunately the documentation is rather sparse.

    Out of the box suPHP is compiled in paranoid mode which means that you have to set the user and group that you want PHP to run as with the suPHP_UserGroup directive on a per vhost basis (a global default can be set too). Each vhost would look something like this 

    <VirtualHost *:80>
    suPHP_Engine on
    ServerName hostname.tld
    DocumentRoot /home/websites/hostname.tld
    suPHP_UserGroup hostname hostgroup
</VirtualHost>

    If you have (or expect to have) large numbers of vhosts the above method could become difficult to administer. You can compile suPHP yourself and change paranoid mode to owner mode. This runs scripts as the owner/group of the .php file and allows you to utilise apache2's VirtualDocumentRoot directive and simplifies you vhost configuration considerably.

    <VirtualHost *:80>
    suPHP_Engine on
    ServerName something.tld
    ServerAlias *
    VirtualDocumentRoot /home/websites/%1/public_html
</VirtualHost>

    You will need to disable check_vhost_docroot in your suphp.conf to make the latter configuration work

    ;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=false

    Doing the above allows apache to 'execute' the sites as the user/group of the account.

    The rest of your points are basic administration that your admin should know.

    • 3