SuPHP and SuExec - pros and cons

[mambovince]

Hi,
Does anyone know of a definitive guide for hosters in regards to the pros and cons of using "SuPHP" and "SuExec" ?

Many thanks,

- Vince

[mtindor]

I'm sure somebody has created a fairly definitive guide. And I"m also sure that if you search these forums you will find some very useful information on the subject. Here are just a few.

PROS for SuEXEC / SuPHP

1. Security!

With SuEXEC / SuPHP enabled, all scripts are run as the user. If you have a website that gets hacked and the hacker uploads a script, that script is going to run as the user (and thus will have a likely limited scope). This doesn't guarantee that the total server can't be compromised, but it sure helps.

2. Ability to easily tell what users' web applications are using up system resources.

CONS for SuEXEC / SuPHP

1. PHP and CGI scripts as well as directories are going to need to have different permissions set for them.

On a server with a lot of sites, it's inevitable that you encounter a few problems where website scripts haven't been changed to the appropriate permissions and thus will not run... Contents of the users web directory must be recursively chowned to user:user. PHP scripts needs to be chmod 644 or less. CGI scripts need to be chmod 755 or less. Directories need to be chmod 755 or less.

I think on Cpanel there are mechanisms in place to automatically do a lot of this work during a transition to SuEXEC/SuPHP (see another post made days ago by someone on the subject).

2. Performance on a server degrades. Any time you have to feed anything through SuEXEC / SuPHP, there is a performance hit. If you have a beefy machine with dual Xeons, fast hard drives, reasonable memory, and a few hundred sites that have "typical" resource use, you may never notice a performance hit. If you're running a hundred sites, many with PHP or CGIs, on a server with a Pentium 4 and a Gig of memory, you're going to definitely see performance hits.

I'm sure there is a lot more to think of. But personally I believe that any shared hosting server should be running SuEXEC and SuPHP - and that if your server doesn't have the guts to handle the potential increased performance hit, then you should upgrade the hardware rather than decide against enabling SuEXEC / SuPHP.

Also - unrelated to SuPHP and SuEXEC directly, but nevertheless important, is the use of mod_security and a good ruleset for mod_security. Also, make sure you have a good firewall (like a combo of APF / BFD or even better, CSF). If you're going to go through the trouble of worrying about security and enabling SuEXEC and SuPHP, then you certainly want to make sure that you protect your server further. SuPHP and SuEXEC are just a good part of a server-wide security solution.

Mike