The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP wrapper

Discussion in 'General Discussion' started by nitsua, Oct 15, 2002.

  1. nitsua

    nitsua Member

    Joined:
    Aug 14, 2001
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    My question is how does Cpanel execute PHP scripts as the domains user and group id? Is it with a patched suexec, mod_suphp, mod_fastcgi, or some other mod?

    If not with mod_fastcgi could it be considered, as it offers a lot of benefits?
     
  2. JustinK

    JustinK Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    251
    Likes Received:
    0
    Trophy Points:
    16
    To my knowledge, cpanel doesn't. PHP programs usually run as nobody or www.
     
  3. qualitum

    qualitum Member

    Joined:
    Feb 17, 2002
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    If you use PHP in a Cpanel theme, then it executes as the account owner.
     
  4. nitsua

    nitsua Member

    Joined:
    Aug 14, 2001
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    What?

    PHP with Cpanel doesn't have a wrapper? I'm I just dumb or does that mean that files created with PHP scripts will be owned by the same user and group as apache? If that is the case, can't anyone on the server read the files and directories created by a PHP script? Also, wouldn't that also mean that if you try to read or write to those files created by a PHP script via FTP you would get permission denied?

    That's the whole reason why there is suEXEC mod for Perl scripts, or am I mistaken yet again?
     
  5. JustinK

    JustinK Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    251
    Likes Received:
    0
    Trophy Points:
    16
    No mistake and you're correct. However you should be able to read to those files, just not write to them.
     
  6. nitsua

    nitsua Member

    Joined:
    Aug 14, 2001
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    hummmm

    Anyone see any problems with that? I just must be super paranoid or just thinking in hacker mode.

    I'd however like to know how many people write php scripts that hold password information still. I know most people use PHP and MySQL with the mcrypt library, but still I've got some old school scripts that I still use that don't use MySQL.
     
  7. nitsua

    nitsua Member

    Joined:
    Aug 14, 2001
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    What do the developers think?

    There are a few ways to fix this:

    1) mod_suPHP - I think it really just executes PHP as a CGI making some headers (401 Auth) not work. Requires you to uninstall mod_PHP4

    2) patched suexec - again requires PHP to run as CGI

    3) mod_FASTCGI - I think this could bring some good benifits to those who want to stick with Apache 1.3.x

    4) or start using Apache2 which comes with a MPM (Multi Processing Module) which allows for UIDs being assigned to vhosts. This means that all PHP requests will be served under the UID assigned to the vhost.

    If most of you are so security conscious that you make people fax a drivers license for an SSH account, why would you not want to have ALL php scripts executed by the proper UID and GID as with PERL and suEXEC?

    Just my 2 cents, take it for what it's worth, 2 cents.
     
Loading...

Share This Page