The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Php as CGI and Module

Discussion in 'Database Discussions' started by spearhead, Jul 7, 2007.

  1. spearhead

    spearhead Member

    Joined:
    Mar 20, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Is it possible to setup cPanel to run both php5 as a CGI and module? I came from an Ensim environment and they have it so you can have secured sites (cgi) and not-so secure sites (module). I'd like to lock down most of them but have the ability to run the module on a few. I'm new and am a bit apprehensive of turning on phpsuexec on 100 sites and have to update all the permissions. I'm hoping I can implement phpsuexec incrementally as I fix one site at a time.
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Running as both a module and a CGI would be self defeating in this case
    and you would effectively undermine the whole purpose of having CGI.

    Personally I don't recommend phpSuExec because of the reduced security
    it brings with it and many other problems. SuPHP is infinitely better!

    Now as far as permission updating goes for scripts, that is no big deal
    and can actually be done with a simple script in a few seconds for
    the entire server machine.
     
  3. spearhead

    spearhead Member

    Joined:
    Mar 20, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the info. I wasn't aware that SuPHP was available in the cPanel CURRENT build. I'm not too interested in doing anything that isn't supported yet (unless it's relatively non-intrusive). I was just trying to see if a CGI can be used with the apache module version of PHP simultaneously all using the tools available in cPanel. It seemed to me it was an either/or situation. Either CGI (via phpsuexec) or apache module.

    Does SuPHP work using any php accelerator's? I'm kinda cozy with eaccelerator as it's been a real boost for the CMS systems.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Yes you can use most accelerators with SuPHP but not with phpSuExec so
    that yields yet another reason you wouldn't want phpSuExec in this case.

    SuPHP will work under any apache release now and works just fine with
    all trees of Cpanel but unless you are running Edge, you will need to install
    it manually and I suspect based on your statements, that might be something
    outside your normal "know how" range of activities -- just guessing. For
    this reason, I would probably not worry about SuPHP unless you get me
    or someone else qualified to do it for you.

    phpSuExec allows you to track script executions by account owner but does so at
    a cost of opening up some very serious security vulnerabilities that actually make
    it less secure and more dangerous than just running Apache module PHP only.

    Meanwhile, SuPHP gives you the abilities of phpSuExec without the downsides but
    is somewhat more complicated to install especially if you are on Release or Current
    development trees under Cpanel.

    Given what you said in your first post and everything above, my actual recommendation
    for you would just be to stay as Apache module only and forget phpSuExec entirely.

    For tracking mail sending, you can just simply setup full header logging in the
    Exim configuration editor and you can track mail sending irregardless whether you
    have SuPHP and / or phpSuExec installed or not.
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Just a heads up that integrated SuPHP support is part of the Stage 2 roll-out of cPanel 11. For up-to-date schedules regarding release dates, refer to http://www.cPanel.net/cpanel11
     
    #5 cPanelDavidG, Jul 9, 2007
    Last edited: Jul 9, 2007
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Spiral,

    This is interesting; what are these vulnerabilities? How come I've never heard of them before? (or are they recent discoveries).

    I only ask because I've never seen (or heard reported) any problem with running phpsuexec on multiple servers with many accounts, so information to the contrary would be really valuable.

    Forgive my ignorance, but does suphp run PHP in cgi mode?
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Fantastic news!
     
  8. Frimon86

    Frimon86 BANNED

    Joined:
    Jun 4, 2007
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Very good news! :)
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    No, it's not a recent discovery. It was actually a design flaw when phpSuExec was created.

    It is a very common misconception that phpSuExec increases security in any form ...

    In reality, phpSuExec only gives you the ability to run scripts as the account owner instead
    of generic user "nobody" but it does so at a very great cost in terms of security!

    In fact, phpSuExec actually makes you far more vulnerable to attack security wise than
    regular Apache module based PHP alone and those who know phpSuExec's specific
    weaknesses have a lot more options at their disposal to hack your system.

    As a high level professional security consultant, I have a lot of the same tools and
    skills at my disposal as many of the better hackers you will found out there and with
    that you should know that I can take down a test server running phpSuExec and
    gain root access in 1/50th the time it would take me trying to crack a server running
    regular Apache module based PHP if that tells you anything at all.

    I am reluctant to mention specific details beyond that because the fewer people who
    know the problems with phpSuExec definitely is better. In fact, keeping that knowledge
    out of the hands of the general public is the one and only reason why we haven't seen
    huge rampant hacking sprees across the net specifically targeting phpSuExec servers!

    Yes and No! There are actually both CGI and Apache module parts to SuPHP!

    SuPHP itself is installed as an Apache Module and acts as the controller for PHP.

    SuPHP in turn passes all code requests from Apache over to the PHP CGI binary.

    Because of the somewhat middle man design of SuPHP, it is NOT subject
    to the inherent vulnerabilities and security weaknesses of phpSuExec spoken
    of earlier in this post and this thread.

    A cool side effect of that design is that you could also set the permissions on
    your PHP scripts as tightly as 400 and they would still execute just fine! :cool:

    Ironically, SuPHP also has better code performance than phpSuExec so aside from
    better security, your code also executes somewhat faster under SuPHP too!

    Overall though ...

    PHP as an Apache Module -- Lot of weaknesses but still better than phpSuExec

    PhpSuExec -- I personally would avoid at all costs unless there were a specific
    need for script owner tracking beyond mail usage and SuPHP wasn't an option.

    SuPHP -- Definitely the way to go in almost all cases. Tight, fast, efficient
    and doesn't have any known specific weaknesses at this time.
     
  10. spearhead

    spearhead Member

    Joined:
    Mar 20, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thanks a lot for all the info! Good to hear about the future SuPHP support. Now, if you cPanel guys could only get those change logs up-to-date...

    You know, you give a nickel - I want a dime.
     
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Maybe for guys like yourself, phpsuexec increases security only a little; but for the rest of us mortals it has two distinct, huge, advantages:

    1) It means everybody doesn't have access to everybody's shared files (and database passwords etc);

    2) It makes it easier to identify miscreant/runaway/spammer processes, and helps track spam.

    I'd say these are pretty big benefits, and unfortunately since you haven't given any proof in any form (and your reasons for doing could make sense, granted) I'm going to have to remain unconvinced.

    Of course, as soon as suPHP is available, I'll switch to it!

    The cost in terms of security is only theoretical(*) at the moment ... the ability to run as the account owner is a huge, tangible benefit right now. And of course, suPHP sounds like the way to go, but as there's no detail (and I've never heard detail from anyone saying phpsuexec is insecure) I'll stay with what I know for now.

    If you convince me privately I'll jump on here and give a full blown retraction, promise!

    (*) theoretical as the exploits aren't in the wild ...
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Did you see that black cat walk past? Feels like deja vu moment to me here for some reason. ;)
     
  13. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'd say so!!!!!! I actually rather prefer to be called a tabby cat over a black cat, if you wouldn't mind. :p

    He could well be completely right -- but I'd like some real, hard, information before I believe it as I've not seen these exploits in the wild and as one knows, occasionally people on forums like to make wild unbased assertions ...
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Agreed and I'm staying out of this. I just happened to be searching for something last night and came across that old thread from last year with both you and he having the same discussion. I had to go back and look one more time to be sure it was similar.

    Some of it, word for word almost. No offense meant at all.... Tabby. :p
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I don't mean to be rude, but as a high level professional security consultant you sound stupid, and your previous posts were sounding good up to a point. As a Security Specialist you should know that when used, PHPsuexec also prevents directories & files with 777 permissions from working. As that alone is 90% or more, of the common security problems with Shared Servers, it makes sense that 90% or more of those type problems disappear with PHPsuexec or the like.

    From a Server Security point-of-view:
    PHPsuexec is better than running PHP as an Apache module
    suPHP or Shosin is better than running PHPsuexec

    Use whatever works best for your current Server(s).


    Also, whatever PHP security is used, it is only part of the Server-wide security that should be in place. That is something most people forget.
     
  16. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Sorry about the slowness responding here ....

    Didn't see the post and between then and now, I was in the hospital for a very
    severe allergy attack to which I am extremely lucky to be back alive again ...

    Anyway ...

    Your first item is not entirely accurate. One of the several issues I was talking about
    before deals with a known way to emulate any user from phpSuExec and branch
    to other account trees within the same server. It's really a design issue so I am
    not sure it can be closed. Fortunately, SuPHP does not have this same vulnerability.

    True but hardly a reason to use phpSuExec in itself because you can accomplish much
    the same level of tracking just by opening up extended logging in Exim which will give
    you the paths to script executions in the mail logs even with PHP running as a module.

    I do try to keep a low profile when online because anytime anyone knows who I am,
    I usually get slammed with thousands of requests by everyone to "help them
    with this" and help "them with that" with non-stop email messages.

    I don't mind lending a hand and helping people at all --- just gets overwhelming
    sometimes when you get several thousand at once trying to contact you

    SuPHP is actually available right now and has been out for a very long time
    and was on the market long before Cpanel even began to consider using it.

    (Contrary to what I just said earlier above, I would be glad to assist you with
    setting up SuPHP if you really needed a hand with that)

    I have been using SuPHP since it's first early beginnings and to date,
    I still have not found any major issues of concern with it and I can also
    tell you first hand (not theoretical!) that SuPHP is more secure and NOT
    subject to any of the vulnerabilities of phpSuExec spoken of earlier. In addition,
    it's also faster performing and gives you performance closer to that of module
    based PHP which is another big plus!

    Cpanel currently supports SuPHP in EDGE for Apache 2 and has done so
    for quite a while now and works just fine. However, that is not the only
    avenue for installing SuPHP fortunately ...

    The latest version of SuPHP now supports the earlier Apache 1.x and can
    be installed independent of Cpanel with very little difficulty which means
    anyone running phpSuExec currently can actually go to SuPHP right now
    irregardless of what version of Cpanel or Apache they are running!

    Actually the exploits are out in the wild but I try to lean away from detailing
    them at any level because of all the kiddie scripter "hackers" out there who
    might still be in the dark would just be encouraged to know what I know
    about phpSuExec and then the problems would of course would be
    much more in the public light and expanded which I think is the last
    thing any of us would want to happen.

    I have seen quite a few servers actually hacked though using the exploitable
    vulnerabilities in phpSuExec though. Most of those that I have personally reviewed
    look like the main origin of attack is out of a specific hacking group in Russia who is
    most actively making use of these exploits.

    -------------------------------------------------------------------------------
    Apparently you didn't read any of my posts above or even begin to
    understand the point actually being made in any of them ...

    I am not talking about what phpSuExec does or doesn't do !!!!

    I am talking about what vulnerabilities it has which is something far greater
    and far more substantial than what anyone realizes and some of those
    issues are extremely dangerous and in some cases effectively nullify
    the advantages many too comfortably believe they have with phpSuExec.

    The security and confidence phpSuExec adds is an illusion because as soon
    as you run into someone attack you with knowledge of what I am talking about,
    all those so called "advantages of phpSuExec" you just listed are suddenly thrown
    out the window and become more of an albatross to you!

    SuPHP is HIGHLY recommended and would be the best of all in terms
    of which type of PHP deployment to go with which would offer the
    most security advantages with the fewest negative drawbacks.

    PhpSuExec is NOT necessarily better than running PHP as an Apache module
    and in a number of ways, it is actually better to run as an Apache module
    even with it's own different set of security vulnerabilities because most
    of the issues with Apache module based PHP are not as severe as the
    open security problems that currently exist with phpSuExec presently.

    Suhosin is indeed a very good product and goes a long way towards helping
    to close up exploitable vulnerabilities in PHP itself and I recommend it for
    use irregardless of whether you are running Apache module, phpSuExec,
    or SuPHP based PHP! A little bit touchy on the configuration but will
    definitely help with preventing code attacks.


    Now that is a statement I whole heartedly agree with! :)

    No security solution should just be one single item alone ....

    Any weakness in any one part of your security profile effects everything else.

    You may have the strongest security in the world throughout your server but if
    you have just one single weak place, it's all totally in vain!

    Just a few tips in that regard ....

    - Have a good properly configured firewall
    - Make sure all passwords are kept strong
    - Make sure all file permissions are secure
    - Regularly monitor all traffic and activity logs on your server
    - Chmod / Chown / Chattr root only those OS files and utils
    that a hacker would need to use once in a system.
    - Get a program to watch for unexpected file changes
    - Don't allow shell access to end users
    - Disable compilers for anyone other than root

    - KEEP YOUR OS AND SOFTWARE UPDATED !!!

    This list is certainly not all inclusive and I could continue to write to it for
    hundreds if not thousands of pages. The point is though and in agreement
    with Website Rob on this point, there are a lot of aspects to security and
    a lot of different things that must be considered when setting up your
    security solution and a lot of different parts to address.

    phpSuExec is only one single part of a security solution but a very dangerous
    one because the lack of public knowledge about certain issues with it lends
    itself well to a false sense of security --- and that is very dangerous indeed!

    .
     
    #16 Spiral, Jul 19, 2007
    Last edited: Jul 19, 2007
  17. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I did read you previous posts which is why I mentioned; "your previous posts were sounding good up to a point". We each have our own level of knowledge & experience to draw upon and I a merely making a counterpoint to your (apparent) suggestion that nobody should use PHPsuexec. I agree though, that with the recent changes being made within cPanel, switching to using suPHP instead of PHPsuexec is a very good idea. But something is better than nothing in my books. ;)

    Regardless of what Security is in place, if a knowledgeable Hacker focuses on your Server(s) you are in for a hard time. Fortunately, many hacks are done by ScriptKiddies and just using PHPsuexec will shut the majority of them down. This is due to what I mentioned before, the need for many popular scripts to have directory/file permissions of 777 -- which is the bain of many a Server Admin.

    Glad to hear you survived your ordeal and things are back on track for you. ;)
     
    #17 Website Rob, Jul 19, 2007
    Last edited: Jul 19, 2007
  18. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    Is there a way to keep cpanel from setting the user back to :nobody when it updates?
    with either system

    this is getting to be a pain in the butt,
     
Loading...

Share This Page