PHP with webpage user permissions on Ubuntu 18.04 Bionic Beaver (using PHP-CGI and Apache2.4 with mod_fcgid)

Usually, PHP runs with the permissions of the Webserver Apache2, which has several disadvantages. One, that files created by the webpage will have different user permissions as the user the webpage belongs to. Also there’s a security concern, as webpages of other users on the server could access your data and configuration.

With Ubuntu 16.04 we used the Apache2 FastCGI module, which is no longer available from this how to. This here are the updated instructions for Fcgid.

In our environment we wanted to have a webserver which runs PHP with the permissions of the user the webpage belongs to. This is what we did (starting from a blank Ubuntu 18.04 installation):

apt install libapache2-mod-fcgid apache2 php-cgi apache2-suexec-pristine
a2enmod userdir

Add the following to /etc/apache2/sites-available/default-ssl.conf:

<FilesMatch \.php$>
  AddHandler fcgid-script .php
</FilesMatch>

Allow ExecCGI for userdir in /etc/apache2/mods-enabled/userdir.conf:

Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI

In the user public_html directory create two files:

~USER/public_html/.htaccess:

FcgidWrapper /home/USER/public_html/.php-fastcgi.fcgi .php

~USER/public_html/.php-fastcgi.fcgi (must be executable and belong to the user):

#!/bin/sh
PHP_FCGI_CHILDREN=4
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS
exec php-cgi

Have fun! Please don’t hesitate to leave a comment :-)

Leave a Reply

You must be logged in to post a comment.