Jan Tomka | 14 Jul 08:35 2015

${GROUPNAME} in docroot

Hi all,

I was wondering whether ${GROUPNAME} was supported in the docroot variable.

I'm setting up a staging server environment where 3rd party developers have their own user accounts, but are also in per-website groups. The source code directories have g+s bit set.

Changes I made are the following:


It's all working fine, I was just hoping to be able to use ${GROUPNAME} in the docroot to tighten it a bit, but this doesn't seem to work:


I'm getting the 'Script "[..]" resolving to "[..]" not within configured docroot' error. (There's a symbolic link which links within the same /home/* directory.)

When I output group name from the script I'm getting the correct value.

When I change the variable name to a non-existent name, I'm getting suPHP::KeyNotFoundException so the variable name seems to be recognised. Is there a way to work out what the variable's value is?


Welcome to the suPHP-qhrM8SXbD5JCREYaNQg7v0EOCMrvLtNR@public.gmane.org mailing list! To post to this list, send your message to: suphp-qhrM8SXbD5JCREYaNQg7v0EOCMrvLtNR@public.gmane.org General information about the mailing list is at: https://lists.marsching.com/mailman/listinfo/suphp If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://lists.marsching.com/mailman/options/suphp/jan%40shopix.com.au You can also make such adjustments via email by sending a message to: suPHP-request-qhrM8SXbD5JCREYaNQg7v0EOCMrvLtNR@public.gmane.org with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: 12px/1.35em arial Normally, Mailman will remind you of your lists.marsching.com mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you.

Magento Certified Developer · Magento Certified Solution Specialist
Shopix Australia · http://www.shopix.com.au · 1300 551 221
suPHP mailing list
suPHP <at> lists.marsching.com
daniel-marschall | 20 Nov 21:35 2014

suPHP and mail logging


I have a problem with suPHP and mail logging.

In php.ini I have following content to detect sending of spam:

mail.log = /var/log/php/mail.log

When I use mail() with one of my users, I get the error message that 
/var/log/php/mail.log is not writeable by the user, which is correct. 
But I expect that this file is written by www-user, since the writing 
process is an internal functionality of PHP's mail() function and cannot 
be exploited by the user in writing arbitary files, so I don't want that 
suPHP enforces the user-privileges to this internal functionality.

I can't use per-user-logfiles since I don't want that users remove 
their own log entries to hide sending spam.

What can I do?

Best regards
Daniel Marschall
Michele Cerioni | 12 Nov 11:54 2014



I've some  problems to configuring suphp with chroot option.

Using in suphp.conf chroot=/ everythigs is working, while using
chroot=/home/web I have this error on web page:

Internal Server Error
Could not execute script "/usr/local/www/demoprotocol.it/prova/ss.php3"

There aren't any errors about error_log file of apache.

I think the problem is on the chroot enviroment of chroot. I tested this 
with the command

chroot --userspec=517 /home/web /usr/local/apache/php/bin/php-cgi 
and works

Could someone help me?
Michele Cerioni | 31 Oct 14:49 2014



I've some  problems to configuring suphp with chroot option.

Using in suphp.conf chroot=/ everythigs is working, while using
chroot=/home/web I have this error on web page:

Internal Server Error
Could not execute script "/usr/local/www/demoprotocol.it/prova/ss.php3"

There aren't any errors about error_log file of apache.

I think the problem is on the chroot enviroment of chroot. I tested this 
with the command

chroot --userspec=517 /home/web /usr/local/apache/php/bin/php-cgi 
and works

Could someone help me?
John WH Smith | 14 Jul 13:23 2014

Going half way between paranoid and owner mode


I started using suPHP recently and I just can't get my permissions setup
I am using suPHP along with DBD MySQL, which allows me to store my users
and Apache virtual hosts into a MySQL database.

The server's contents have the following permissions :

-rw-r-x--- someuser www-data /home/users/someuser/
-rw-r----- someuser www-data /home/users/someuser/index.php

- "someuser" is a UNIX user stored in the MySQL database (link is made
through libnss-mysql and pam-mysql).
- "someuser" belongs to the "users" group. His home is
- "someuser" and his scripts must not be able to access other homes in

Now, I am trying to use suPHP to remove the "www-data" group ownership
from the PHP scripts upon execution, but I need to keep the user ownership.
That is, in the above example, index.php should be executed as
someuser:users instead of www-data:www-data.

 - Owner mode allows me to set execution ownership to someuser:www-data,
which isn't quite it since I don't want the group to be www-data.
 - Paranoid mode requires me to set a static user AND group name, which
I can't do (all homes are handled by the same virtual host
configuration, which queries the database for each request).

I'd like to know if suPHP offered a way to use owner mode for the user,
but paranoid mode for the group.
Basically, I'd like something similar to :

suPHP_Group users

in owner mode (yet, this parameter does not exist).

I've been thinking about this setup for a while, and I just can't find a
correct configuration use both suPHP and DBD MySQL together, while
separating all homes from each other.
Am I missing something here, or is there a simpler setup I didn't think

Thanks in advance!
Sebastian Marsching | 4 Jul 13:20 2014

Re: Handler for (null) returned invalid result code 70014

> Definitely a valid argument, but I don't see why these same concerns
> shouldn't apply to running PHP scripts, which are just as capable of causing
> damage and using the env variables maliciously as Perl scripts.

That is true, however suPHP filters some environment variables (in particular PHPRC and
LD_LIBRARY_PATH) that might be problematic for PHP.

The difference between suPHP and suExec is that suPHP uses a black-list and suExec a white-list. If you do
not know which kind of executables is run, a black-list obviously is the better approach.
Joe Gillotti | 3 Jul 12:32 2014

Re: Handler for (null) returned invalid result code 70014


What if you try disabling/uninstalling suexec?

Not many people are completely aware of this but suPHP also works for 
executing one-off CGI scripts/binaries (I.E. not php) and can take the 
place of suexec.

I know that cPanel likes to enable suPHP and suexec at the same time but 
I'm very sure it patches them a bit.

Read the second item in this with regards to using it to replace suexec: 


On 7/3/14, 3:21 AM, helmuth@... wrote:
> Dear Joe,
> On 03.07.2014 10:34, Joe Gillotti wrote:
>> Are you using apache/suphp/php compiled from source or from stock 
>> Debian's apt repo? If the
>> latter perhaps you could file this as a debian bug for those packages,
> thank you for your response! I'm using stock packages from the Debian 
> LTS repo, only. I've seen this error 2012, too. It's not a new problem.
> Sure, I could file a bug to the debian team.
> I'm also using apache2-suexec-custom instead of apache2-suexec:
> # aptitude search suexec
> p   apache2-suexec         - Standard suexec program for Apache 2 
> mod_suexec
> id  apache2-suexec-custom  - Configurable suexec program for Apache 2 
> mod_suexec
>> once you have garnered some additional info of course.
> Do you have any hints to track this down? What should I do? Because 
> it's not reproducible I cannot use GDB, strace or something like that.
>> Could you post some of your configs?
> This is my suphp.conf:
> ----------------- Snip --------------------
> [global]
> logfile=/var/log/suphp/suphp.log
> loglevel=info
> webserver_user=www-data
> docroot=/
> allow_file_group_writeable=false
> allow_file_others_writeable=false
> allow_directory_group_writeable=false
> allow_directory_others_writeable=false
> check_vhost_docroot=true
> errors_to_browser=false
> env_path=/bin\:/usr/bin\:/usr/local/bin
> umask=0022
> min_uid=10000
> min_gid=10000
> [handlers]
> application/x-httpd-php="php:/usr/bin/php-cgi"
> x-suphp-cgi="execute:!self"
> ----------------- Snap --------------------
> This is a part of my vhost-configuriation:
> ----------------- Snip --------------------
>     <Directory /var/www/user1/htdocs/≥
>         suPHP_Engine on
>         suPHP_AddHandler application/x-httpd-php
>         suPHP_ConfigPath /etc/php5/users/user1/
>         [...]
>     </Directory>
> ----------------- Snap --------------------
> There is a php.ini for every user.
> This is the suphp.conf from apache2/mods-enabled/
> ----------------- Snip --------------------
> <IfModule mod_suphp.c>
>     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
>     suPHP_AddHandler application/x-httpd-php
>     <Directory />
>         suPHP_Engine on
>     </Directory>
>     <Directory /usr/share>
>         suPHP_Engine off
>     </Directory>
> </IfModule>
> ----------------- Snap --------------------
> Again, thank you for your help!
Helmuth Gronewold | 2 Jul 16:32 2014

Handler for (null) returned invalid result code 70014

Dear list,

I really need your help with this. I have two webserver clusters with 
mod_suphp 0.7.1 and Apache 2.2 (squeeze-lts). BalanceNG is placed 
infront of the webservers to load balance user requests in DSR mode. PHP 
sessions and data is stored on a reliable NFS server.
Multiple times a day users get an internal server error and the Apache 
logs say:

[Wed Jul 02 09:34:32 2014] [error] [client 9x.xx.xx.64] Handler for 
(null) returned invalid result code 70014, referer: 

In more than two cases the error was reproducible for the user only, but 
was gone the next day or after a few hours. Two months ago 6 out of 8 
users from one office got this problem and again it fixed itself the 
other day.

As you can see, the referer URL above says action=upload. The problem is 
not bound to file uploads. Sometimes scripts that could be used to 
upload files only changed two values with a few byte in POST size.

It is also not bound to a specific script. I've seen that error with 
multiple different scripts which go from mostly flat PHP files with 
structural programming to MVC and OOP. The only thing that most of the 
scripts have in common is, that they provide file upload functionality 
(which is not used every time...).

I've read every website on the six result pages google returned to this 
topic. No one found a clear solution to this. Some say a proxy or 
firewall is causing this (pfSense and BalanceNG is used here, but there 
are equal rules for all users and no content modification), some say 
it's specific to the executed PHP code.

In my opinion the most interesting results are:

2. http://www.webhostingtalk.com/showthread.php?t=1351337

The first one describes what the error means. I've checked out both the 
Apache and suPHP codebase and found out that ap_run_handler() returns 
this error. The function is implemented by the handler which in turn, 
AFAIK, is mod_suphp.

The second ones poster did some nice debugging and found out the 

1. mod_security is not an issue (even though I'm not using 
2. POST requests with forms are involved 100% of the time
3. suphp is involved
4. the PHP script itself is not even executed
5. "this error can also be logged if a form's content-size value in the 
POST headers does not match the actual content size"

On the other hand I did not get a "Connection Reset" like he posted.

In my understanding the error is generated when there is a communication 
problem between Apache and suPHP. But I'm really not sure about that.

Every single advice to track down this problem would be great!

Thanks in advance,

Michael Winterberg | 16 Feb 16:52 2014

Re: How to get more details ?


i have the same problem now.
suPHP and mediawiki.
but the link to the solution is broken now.
do you remember how did you soled the problem?

thanks a lot for help

Michael Winterberg (CTO)
find my profile <at>  michael.tischefrei.de
tischefrei.de GmbH | Franz-Schubert-Str. 3 | 36043 Fulda
Sitz der Gesellschaft: Fulda | Handelsregister: Amtsgericht Fulda HRB 6123
Geschäftsführer: Bernhard Fichtenbauer, Tobias Walter, Michael Winterberg
facebook | twitter | google+ | youtube

suPHP mailing list
Lance | 27 Oct 23:57 2013

Help adding 2 new options

I hope someone can help me with this. I've been trying to add two new options to mod_suphp, basically suPHP_NProc and suPHP_NProc_Error I'm just not good enough with C to get it all working correctly.

I was wanting suPHP_NProc to set the maximum number of permitted PHP processes. (I know Apache has RLimitNProc, but I was just looking to add something that is suPHP specific.)

The other option suPHP_NProc_Error I was wanting to add to let you override the error code that is returned when the process limit is reached instead of returning a generic 500 error code (Internal Server Error).

Any help with this would be appreciated.
suPHP mailing list
suphp | 13 Oct 13:21 2013

htaccess override suphp_ConfigPath

Howdy :-)

On debian 7 I've some virtual host (each virtual host as a php.ini does
not visible on ftp root).


DocumentRoot /home/domain1/domain1/
suPHP_ConfigPath /home/domain1/

I need use htaccess and I modify AllowOverride from none to FileInfo:

AllowOverride FileInfo

Works :-)

But if I put (in htaccess) this line:

suPHP_ConfigPath /home/domain1/domain1/

I can write a NEW php.ini and override ALL security options!

What I should do?