suPHP Homepage

Home | Download | FAQ | Documentation | Help

You can download version 0.7.2 of suPHP.
For older versions go to the archive.

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

suPHP 0.7.2 released2013-05-20
suPHP 0.7.2 has been released.
This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as.

suPHP 0.7.1 released2009-03-14
suPHP 0.7.1 has been released.
This release fixes a bug causing problems with symbol links in the script path, which was introduced with the 0.7.0 release.

suPHP 0.7.0 released2008-12-25
suPHP 0.7.0 has been released.
With this release, several features that have been on the wish list for a long time, have been realized:
  • The module for Apache 1.3 only supported AddHandler for older releases. This has been fixed: Now you can use AddType, too.
  • PHP source highlighting: Files of MIME type application/x-httpd-php-source will now be shown with source highlighting. Remember to set the suPHP_PHPPath directive to enable this feature.
  • suPHP_AddHandler and suPHP_RemoveHandler directives can now be used on per vhost level, too.
  • You can configure more than one docroot and use different variables (like user name or home directory) within docroot and chroot settings.
Attention: The configuration syntax for suphp.conf has slightly changed with this release. Be sure to read the documentation before upgrading, because existing configuration files will not work without changing them.

suPHP 0.6.3 released2008-03-30
suPHP 0.6.3 has been released.
This is a security fix release, fixing tow race-conditions concerning symlinks:
  • An attacker could create a symlink linking to a file of his own, then change the symlink to point to a file of another user and finally change the link back to a file of his own. This attack requires very accurate timing, because the link has to be changed twice at the right moments. However, if the attacker succeeds he can execute his own code with the permissions of a different user. This will be less harmful when suPHP is run in paranoid mode, as the attacker has to place his link in a directory that is associated with another user.
  • There is a second vulnerability concerning symlinks that point to a directory. This vulnerability is even more harmful as the link has to be changed once only, which makes the timing much easier. As the other vulnerability this issue is most harmful if suPHp is running in owner mode.
All users are strongly advised to update immediately.

suPHP 0.6.2 released2006-11-19
suPHP 0.6.2 has been released.
The following problems have been fixed with this release:
  • Double free() problem with certain versions of GCC
  • Dead locked Apache processes when a script wrote more than 4096 bytes to stderr.
  • Problems with PATH_INFO environment variable
Features / improvements:
  • Apache 2.2 compatibility
  • (Basic) mod_userdir support

suPHP 0.6.1 released2005-12-01
suPHP 0.6.1 has been released.
This is mainly a bugfix release (hopefully) fixing the following problems:
  • Buildproblems due to APR headers not being found
  • HTTP 500 Errors when a script sends a Last-Modified-Header
  • suPHP is now reading its runtime configuration from a file
  • Potential buffer overflow in mod_suphp.c for Apache2. This overflow could not be exploited as the relevant parameter to the function call was constant, however it was fixed as it might have grown to a problem if this function had been used by other parts of the code with variable parameters.
  • Some code using STL was changed to gain better compatibility with old GCC versiosns (credits to Jeremy Chadwick for finding the solution)
  • Typos in mod_suphp.c for Apache 1.3 (credits to Johan Ekberg for finding them)
There is a small new feature, too:
  • chroot() support was added. In the configuration file, a path can be specified, in which suPHP will chroot() before executing the script.

suPHP 0.6.0 released2005-06-11
suPHP 0.6.0 has been released.
For this release suPHP has been completely rewritten. This in an (incomplete) list of only the most important changes:
  • Complete code rewritten now using C++ instead of C
  • Automake based build system
  • suPHP is now reading its runtime configuration from a file
  • Apache 1.3 module completely rewritten - now all modes are supported with Apache 1.3, too
  • Support for concurrent use of different PHP version (e.g. 3, 4, 5)
This release was sponsored by Techno-vi - Wanix.
Thanks to the sponsor!

suPHP 0.5.2 released
suPHP 0.5.2 has been released.
There are several changes in comparison to version 0.5.1:
  • Added support for UIDs/GIDs not listed in system configuration when using "force" or "paranoid" mode
  • Fixed bug in configure script that caused autoconf to assume wrong values
  • Changed behaviour for setting "REDIRECT_STATUS": Now it is only set to "200" when it has not already been set by Apache
  • Fixed bug causing environment variables with values ending with a '=' sign to be unset

suPHP 0.5.1 released
suPHP 0.5.1 has been released. Version 0.5.1 is mainly a bugfix release, fixing the bug causing a segmentation fault in the Apache 2 module and improving the handling of environment variables.
Instead of setting unneeded / unwanted environment variables to an emtpy string, they are now completely removed from the environment.

suPHP 0.5 released
After several days of coding and an even longer time of testing now suPHP 0.5 has finally been released.
The most important improvement is Apache 2.x compatibility but there are are a lot of more features, including improved logging and compatibility for more platforms. See the ChangeLog in the suPHP distribution for details.

Solaris patch for suPHP 0.3.1
Due to differences in the system APIs between Linux and Solaris suPHP did not work on Solaris systems.
Now, James O'Dell has created a compatibility patch for Solaris (which might also work for IRIX). You can get the patch from the suPHP download archive.

suPHP 0.3.1 released
suPHP 0.3.1 has been released. In this version a bug concerning the "--disable-checkuid" option has been fixed.
If you suceeded in compiling suPHP 0.3 there is no need to upgrade to version 0.3.1.

suPHP 0.3 available
suPHP 0.3 has been released. The most important change concerns the build system which is now based on GNU autoconf. Due to this change building and installing suPHP should be much easier now.
A problem which was sometimes caused by the so called "supplementary groups" feature has been fixed: In the past, users gained permissions of the group the Apache was running as. Now, they have exactly the permissions of the groups, which they are a member in.
Besides some small changes have been made in order to make suPHP work with scripts whose UIDs/GIDs are not listed in /etc/passwd respective /etc/group. See the documentation for details on this change.

Patch fo suPHP on FreeBSD available
Clement Laforet has created a patch to make suPHP work on FreeBSD without having to modify the configuration.
The patch was made for suPHP 0.2.2 but will probably also work with suPHP 0.2.3.

French documentation for suPHP now available
The documentation included within the suPHP packages is now available in French language, too.
Thanks to Clement Laforet for translating the docs!

suPHP 0.2.3 released
In version 0.2.3 a small bug, which made it possible to circumvent
.htaccess security when FollowSymlinks was activated, was fixed.

Bug in suPHP 0.2.1, version 0.2.2 released
In the package with suPHP 0.2.2 the file "suphp.h" was not included.
For this reason suPHP 0.2.1 failed to compile!
In suPHP 0.2.2 this file is included again, so there shouldn't be this problem any more.

suPHP 0.2.1 now available
In suPHP 0.2.1 a bug, which caused the suPHP_ConfigPath option not to work on some PHP installations, was fixed.

German documentation for suPHP 0.2 now available
The documentation included within the suPHP packages is now available in German language, too.
Thanks to Jonas Pasche for translating the docs!

Changes in version 0.2
- Added support for (de-)activation for each VirtualHost defined in the Apache configuration
- Added support for different php.ini's, configurable in the Apache config
(c) 2006-2008 Sebastian Marsching

Valid XHTML 1.0!Valid CSS!