The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New PHP SuExec Alternative

Discussion in 'General Discussion' started by Elikster, Sep 28, 2003.

  1. Elikster

    Elikster Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    119
    Likes Received:
    1
    Trophy Points:
    18
    Greetings,

    I been checking aorund since I don't exactly like how the phpsuexec patch is done for the PHP itself, and I found this instead.

    http://www.suphp.org/Home.html

    Basically, it make a module which you put in the httpd.conf and remove the mod_php off and it will pass it to php cgi version to run the scripts as it is intended. I am currently evalating this and I like what I have seen so far.

    This seems to be much better version to use for default php installation instead of patching Apache and PHP to have this allowed, since I took the time to read though the patches required for the phpsuexec and I didn't like what I seen in there. Granted, it is still early development, but it seems to do everything and it is activately developed by the developer.

    This might be a nice alternative for you guys to look into if you don't like using the phpsuexec option.

    cPanel.net Support Ticket Number:
     
  2. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Nice ! :eek: (sticky ?)

    Who has the courage to test it ;) ?

    cPanel.net Support Ticket Number:
     
  3. roman

    roman Well-Known Member
    PartnerNOC

    Joined:
    Feb 13, 2002
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    PHP is still ran in cgi mode with this module... as it does with phpsuexec... Am I right?

    cPanel.net Support Ticket Number:
     
  4. perlchild

    perlchild Well-Known Member

    Joined:
    Sep 1, 2002
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    According to the info I have, unless you're running apache 2.0 with the perchild(any resemblance to my username is a coincidence, and I'm not affiliated with the apache foundation) module, I don't think it's even possible to have php suexec otherwise than as a cgi. As every module runs into the nobody security context, suexec works by forking processes, and that's why phpsuexec does the same. Perchild will add per-site security contexts at the module level, but even then, there will be a (smaller) performance penalty in php, asp and jsp etc... Mod_perl as I understand it, is so tightly bound, that it might actually regain the small performance it had over php when php3 was launched, but that's conjecture on my part.

    cPanel.net Support Ticket Number:
     
  5. Elikster

    Elikster Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    119
    Likes Received:
    1
    Trophy Points:
    18
    Testing

    I am currently testing it among my 6 personal computers plus one new server that is just provisioned. I like this method better due to no patching on Apache or PHP itself, which in my book is a major plus compared to the Phpsuexec version, which required patching in 3 different places.

    I will let you know at the end of the week or early next week after I give it a abusive testing I can throw at to see how it performs, which means stealing several major websites I hosts and put it on my personal servers to test.

    cPanel.net Support Ticket Number:
     
  6. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    16
    Anymore news?

    cPanel.net Support Ticket Number:
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Anyone have an update as to how this alternative is working for them? Would really love to solve the 'nobody' issues with PHP, but hesitant to use phpsuexec.

    cPanel.net Support Ticket Number:
     
  8. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Same here :)

    cPanel.net Support Ticket Number:
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I tried a very limited test on a CPanel server, but could not get it to work. Perhaps I was using wrong configuration options, or had something compiled wrong. I really didn't do much digging. I don't really have the time necessary to adequately explore why it was not working. I thought I would wait a little while and see if anyone else had it working on CPanel, and had a howto guide on it.

    cPanel.net Support Ticket Number:
     
  10. Elikster

    Elikster Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    119
    Likes Received:
    1
    Trophy Points:
    18
    Update Status

    Greetings,

    I have done a battery of tests on it and after finding no problems with it, I have it installed on 3 servers and I have reported no problems with them. And on the upside, it made my life so much easier tracking down people who are spamming from our servers, since they did not realize that we implemented the new suphpexec in.

    As for performance wise, I don't see any penalties on this as far I can see. I am happy with them.

    cPanel.net Support Ticket Number:
     
  11. sloop

    sloop Well-Known Member
    PartnerNOC

    Joined:
    May 4, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    north carolina
    Has anyone else given suphp a try?

    How is it working for you now Elikster? How many sites with PHP scripts do you have running with suphp? Are they normal web hosting clients?

    cPanel.net Support Ticket Number:
     
  12. sloop

    sloop Well-Known Member
    PartnerNOC

    Joined:
    May 4, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    north carolina
  13. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Thank you sloop . You did a great work , thank you.
    (also if an "how to remove it" if something goes wrong ,
    and an "how to update" if an update will go out , will be really appreciated) .

    Do you think it will continue to work every time
    php will upgrade its version (I suppose no :( ) ?
     
  14. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I also hope that Bradco will consider to add suphp support inside /scripts/easyapache ;)

    Bye
     
  15. Frenck

    Frenck Active Member

    Joined:
    Nov 12, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hengelo, The Netherlands
    How about open_basedir?

    open_basedir doesn't work with phpSuExec. Does it work wit suPHP?
     
  16. Patiek

    Patiek Active Member

    Joined:
    May 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Yes, that would be awesome.
     
  17. pfmartin

    pfmartin Well-Known Member

    Joined:
    Aug 18, 2001
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    Just curious:

    How is this any different from phpsuexec?

    In the end, phpsuexec is also just a module inside Apache (contrary to the original post, you do NOT need to patch PHP to use phpsuexec). The thing is that phpsuexec is a static module vs. this alternative which is dynamically loaded. However, they are both 'modules'.

    I am not for or against either solution (although I have been using phpsuexec for a while now). It's just that this thread implies the new alternative is "better" than phpsuexec. I do not see the difference other than one is in the apachebuild from cpanel and one is not.

    Can someone comment on the differences if I am not seeing something? I am always looking for a better solution :)

    Thanks
     
  18. perlchild

    perlchild Well-Known Member

    Joined:
    Sep 1, 2002
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Dynamic loading is in itself a significant difference... for two reasons:
    1) security purists in general prefer static binding for security purposes
    2) uptime freak-ish admins(like myself) tend to prefer dynamic binding with the ideal that you can throw the module on/off with just a config flag, and preferrably update apache without updating the modules.

    On another note, anyone know of a mod_php alternative that would work with the perchild apache 2.0 MPM? Appears to me(so far) that perchild would finally allow php module access, while protecting each host properly. Anyone know of research in that area?
     
  19. pfmartin

    pfmartin Well-Known Member

    Joined:
    Aug 18, 2001
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    Thank you for the feedback. If I may add to this:

    If security is the reason you are changing to phpsuexec (or a simliar 'secure' solution) then I would suggest that one should take the most secure route. Therefore, I would agree that a static module is more secure than dynamic loading of modules. I am not sure what a 'security purist' is, but in my book, you can never be too paranoid. The more security, the better for everyone, especially your customers.

    This would lead me to conclude that in our case we prefer the static module (i.e. phpsuexec).

    Regarding the Apache 2.0 MPM, I do know that it is on many people's minds in both the Apache and PHP developer groups. However, at this point there is no 'stable' release on either project regarding MPM with PHP. I am not sure, but my thinking is that they are reserving most of their efforts for PHP 5.0 (which is currently in Beta 3). We are bound to hear news on MPM for PHP soon. I am fairly sure that is why Cpanel has not gone Apache 2.0. They are also waiting.

    Thanks.
     
  20. sloop

    sloop Well-Known Member
    PartnerNOC

    Joined:
    May 4, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    north carolina
    You're right, I don't know of any significant differences between the two (suphp and phpsuexec). I read about suphp as an alternative on the web and was curious. So, I tested it out and documented my findings.

    I posted the info here about how to set it up just to further the discussion of PHP security, not to say that this is better than phpsuexec.
     
Loading...

Share This Page