To phpsuexec or not to phpsuexec?

[nothsa]

Hi all. I've done some research and am aware of all the benefits of it and am interested in changing to it, mainly so I know which user is running a PHP script. What I'm not aware of is any potential problems.

I keep finding threads on forums where a few users will cite all the good things about it, and eventually someone(s) will come along and say how it's the worst coding invention ever and cites problems and everything it breaks, and then some people will debunk what he says and other will validate it.

Can anyone tell me any potential problems that I might run into using phpsuexec and CGI PHP instead of running mod_php?

[Aric1]

A couple of downsides:

1) If you have users on this server already, they're going to have scripts "break" since 777 permissions are not permitted (755 is max) and no PHP values can be put in .htaccess (php.ini must be used instead).
2) Slower and more load intensive PHP

[webignition]

With phpsuexec enabled, PHP scripts must obey the same sets of conditions that apply to other CGI scripts. With this in mind, you shouldn't encounter any problems.

The golden rules to which you must adhere are:

1. Ensure script permissions are correct
Any script that is world-writable (i.e. permissions with XXX7) will not execute. Neither will they execute from a directory that has such permissions.

The maximum workable permissions are 0755 for both directories and scripts.

2. Ensure ownership of files is correct.
Directories (not including the public_html directory) and files must be owned by user:user not nobody:nobody. In general most scripts would be already owned by user:user, however files created by PHP may have different ownership.

3. Ensure scripts are uploaded in ASCII not binary mode
They may become corrupt during upload and hence fail to work. This should only affect incorrectly uploaded scripts after the changeover.

You will encounter an HTTP 500 (Internal server error) due to not following these rules.

Try checking for and changing the permissions and ownership of existing scripts and directories beforehand and make your users aware of those three rules well before you make the changes.

Everything should then go smoothly.

[nothsa]

Aric1

#1: Do people usually chmod their php scripts to 777? I've never done it and I don't think any of my users have done it, and none of them use php values in .htaccess, so I should be OK there.

#2: I've heard the slowdown is barely noticeable and it takes the load off of Apache so if a bad script is running, Apache is still able to serve up pages 'cause it isn't bogged down by the bad script. Is this true?

[nothsa]

webignition

1. Ensure script permissions are correct
Any script that is world-writable (i.e. permissions with XXX7) will not execute. Neither will they execute from a directory that has such permissions.

Hmmm... My users might have some scripts in world-writable directories. Thanks for the heads-up.

3. Ensure scripts are uploaded in ASCII not binary mode
They may become corrupt during upload and hence fail to work. This should only affect incorrectly uploaded scripts after the changeover.

Also good to know. Thanks for the info =)

[chirpy]

Most of those issues are easily overcome (permissions). There are some things that are unavaoidable:

1. The issue Aric1 mentioned about local .htaccess and php.ini files

2. HTTP_AUTH will no longer function. It doesn't work when running php as a CGI

Personally, I always switch on phpsuexec on all my web hosting servers. For the few downsides I believe the security benefits far outweigh them.

[nothsa]

Thanks chirpy.

I don't think that there is anything here that I can't overcome, and the benefits for me seem to outweigh any potential problems.

I'll be setting this up later tonight =)

[gvard]

Thanks chirpy.

I don't think that there is anything here that I can't overcome, and the benefits for me seem to outweigh any potential problems.

I'll be setting this up later tonight =)

Good evening from Greece,

Did u set it up? How did it go?

[Radio_Head]

safe mode on for me it's much better than phpsuexec or suphp

[hostmedic]

we have many servers - each w/ their own configuration here -

the main thing we have noticed is there are many applications that just go nuts with phpsuexec implemented

it is for this reason we move some clients from 1 server to another server ...


typo3 for example hates phpsuexec - few work arounds - but it still hates phpsuexec...

[Bruce123]

About Chirpy's comment:

HTTP_AUTH will no longer function. It doesn't work when running php as a CGI

We have dozens of php pages that use

$PHP_AUTH_USER and $PHP_AUTH_PASSWORD

for authentication. Are these going to break with phpsuexec?


One customer also also runs the provided phpbb, which is important for them. Any concerns there?

TIA for your help.

Bruce

[chirpy]

AFAIK, yes, they will break.

[mich181189]

yeah... phpsuexec is something I want to avoid if possible. I know one host I use is about to implememnt it. On the host I admin, im gonna try to avoid it because it is simply too limiting.

[AndyReed]

Regarding HTTP-Authentication, since phpsuexe is installed on your server, all .htaccess php calls to apache are void therefore force type etc. lines in the .htaccess are useless. This is because php is no longer running as an apache module and apache will not handle those directives any longer.

[chirpy]

Well, most of the directives that you have in a local .htaccess can simply be moved to a local php.ini

There is a workaround for the HTTP_AUTH directive "issue":

http://www.personalsitessupport.org/...?t=1022&p=4820

More listed under:

http://uk.php.net/features.http-auth