My question is how does Cpanel execute PHP scripts as the domains user and group id? Is it with a patched suexec, mod_suphp, mod_fastcgi, or some other mod?
If not with mod_fastcgi could it be considered, as it offers a lot of benefits?
PHP with Cpanel doesn't have a wrapper? I'm I just dumb or does that mean that files created with PHP scripts will be owned by the same user and group as apache? If that is the case, can't anyone on the server read the files and directories created by a PHP script? Also, wouldn't that also mean that if you try to read or write to those files created by a PHP script via FTP you would get permission denied?
That's the whole reason why there is suEXEC mod for Perl scripts, or am I mistaken yet again?
Anyone see any problems with that? I just must be super paranoid or just thinking in hacker mode.
I'd however like to know how many people write php scripts that hold password information still. I know most people use PHP and MySQL with the mcrypt library, but still I've got some old school scripts that I still use that don't use MySQL.
1) mod_suPHP - I think it really just executes PHP as a CGI making some headers (401 Auth) not work. Requires you to uninstall mod_PHP4
2) patched suexec - again requires PHP to run as CGI
3) mod_FASTCGI - I think this could bring some good benifits to those who want to stick with Apache 1.3.x
4) or start using Apache2 which comes with a MPM (Multi Processing Module) which allows for UIDs being assigned to vhosts. This means that all PHP requests will be served under the UID assigned to the vhost.
If most of you are so security conscious that you make people fax a drivers license for an SSH account, why would you not want to have ALL php scripts executed by the proper UID and GID as with PERL and suEXEC?
Just my 2 cents, take it for what it's worth, 2 cents.
