phpsuexec on dedicated server. Any advantages?

nothsa

Well-Known Member
Nov 30, 2004
69
0
156
I am managing a high-traffic server for a client (1.5TB+/month, almost all web traffic). The server only has 3 sites on it and there are only 2 people other than myself that manage the sites. I am the only one with shell access.

Currently I'm running PHPsuexec but I'm wanting to increase the speed of the PHP processing. In this situation, is there any major advantage to me having PHPsuexec installed? I would prefer to remove it and use some kind of PHP caching like eAccelerator to speed up execution.

All comments welcome :)
 

jackie46

BANNED
Jul 25, 2005
536
0
166
Why dont look at getting a faster processor and or more memory? Moving away from phpsuexec is really not going to give you that much of a performance boost alone, adding accelerator might. So your willing to sacrafice security for speed? You can always speed up the box by getting a faster processor and removing resource hogs such as SPAMD, URCHIN to name but a few, you should never sacrafice security over anything. Granted you have very few users but thats beside the point. What about malicious users visiting the site? Those are mainly your culprits, not existing users on the server.
 

nothsa

Well-Known Member
Nov 30, 2004
69
0
156
jackie46 said:
Why dont look at getting a faster processor and or more memory?
Because it'll cost more? Why not try to tweak the performance instead of laying out money for new hardware, not to mention the time/monty of moving to a new server. New hardware should only be an option after all tweaking avenues have been exhausted.

jackie46 said:
Moving away from phpsuexec is really not going to give you that much of a performance boost alone, adding accelerator might.
The only reason I want to move away from phpsuexec is so that I CAN use eaccelerator. You can't use it with phpsuexec enabled.

jackie46 said:
So your willing to sacrafice security for speed?
My point was that there won't be a big security sacrifice as it's a tightly controlled server, which is why I said "In this situation".

jackie46 said:
You can always speed up the box by getting a faster processor and removing resource hogs such as SPAMD, URCHIN to name but a few, you should never sacrafice security over anything.
I have already removed all non-used services and tweaked the hell out of Apache and MySQL. The last thing that is using up a lot of resources is the PHP execution, which I believe would be solved by adding eaccelerator as this server is getting 100-200 Apache/PHP hits per seconds, so caching pages would be a big help.

jackie46 said:
Granted you have very few users but thats beside the point. What about malicious users visiting the site? Those are mainly your culprits, not existing users on the server.
Agreed, but such problems are far easier to track down with only 3 sites.
 

nothsa

Well-Known Member
Nov 30, 2004
69
0
156
That's what I was hoping :) . Out of the 3 sites, one doesn't run PHP scripts and the second only has two scripts. If there are any exploits then it'll probably be the third site which should make it even easier to track down.

Thanks for the help.


[EDIT]This is a response to sparek-3's post. For some reason it has been posted above his reply.[/EDIT]
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
2,067
237
368
cPanel Access Level
Root Administrator
As long as you keep any scripts or programs that are web-accessible up-to-date, then I don't think running PHP as an Apache module would be that bad. The main reason for running PHPSuExec is so that admininstrators can more easily track down abusive websites and/or scripts. It also prevents the need for open directories that are using permissions of 777 for file uploads. These are all advantages and reasons for using PHPSuExec.

However, as you have said this is a dedicated server with only 3 accounts. As long as you monitor those accounts and are satisfied with your current security measures then I don't think PHPSuExec is as necessary as it is in a complete shared hosting environment. The downside to this, is that if one of your scripts is exploited and used to send spam or otherwise launch a malicious attack, you may have a more difficult time finding the script that was exploited. However, one thing is for certain, you will know that it is on one of those 3 accounts on the server.

With a shared hosting environment, the same issue may come up, but instead of 3 accounts, you are looking at 200 to 300 accounts and much more difficult to determine the offending account. Also, in the shared hosting environment, end-users are less likely to keep security as a top priority, and are less likely to keep scripts up-to-date.

I'm not really saying that disabling PHPSuExec is a good idea, it just really depends on how confident you are in your administrative abilities and how well you monitor the accounts and their security. If you think that the measurements you have in place are good enough, then disabling PHPSuExec may offer you the performance increase you desire. The usage of PHPSuExec is really a weighing option between overall security and overall performance.
 

nothsa

Well-Known Member
Nov 30, 2004
69
0
156
Quick update:

I removed phpsuexec, installed eaccelerator and I couldn't be happier. Loads have dropped from as high as 50.0 down to a max of 3.0 at peak times. Context switches are down from 2500-4500 to a max of 1500 and overall website speed is blazing :)

Keep in mind that most of you won't see these kinds of results as this is a high traffic server. Also keep all of sparek-3's comments in mind. This works well for my situation, but I would recommend using phpsuexec in a shared environment.
 

aridha

Registered
Jan 29, 2006
1
0
151
PHP:
I removed phpsuexec
could you pleas tell me how to remove it.
i was looking for that many places without result.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Nothsa, while I think of it, thanks for posting the update. It was really enlightening to see that sort of performance increase and it was good to see it being put into perspective (so many people get a performance boost like that then go and pull phpsuexec off every server, not realizing that they're all different).

Cheers! ;)
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
jackie46 said:
So your willing to sacrafice security for speed?
That's not entirely an accurate statement ...

Most people assume that phpSuExec is more secure than running without it
but the reality of it is that it is actually far LESS secure than no phpSuExec.

There is pros and cons to both not having phpSuExec and having it so
it's really a matter of what your needs are and what security risks you
are willing to accept because there are very substantial security risks
in both. phpSuExec has some very bad security problems that don't
exist in non-phpSuExec installations and vice versa.

(Incidentally, I know more ways to hack and exploit a server running
phpSuExec than a server not running phpSuExec so I'm not particularily
fond of phpSuExec myself in it's current form but hopefully PHP will
wake up and come up with a better design for it).
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Spiral said:
That's not entirely an accurate statement ...

Most people assume that phpSuExec is more secure than running without it
but the reality of it is that it is actually far LESS secure than no phpSuExec.

There is pros and cons to both not having phpSuExec and having it so
it's really a matter of what your needs are and what security risks you
are willing to accept because there are very substantial security risks
in both. phpSuExec has some very bad security problems that don't
exist in non-phpSuExec installations and vice versa.
*Sigh* If you're so convinced that phpsuexec has bad security problems, then what are they?

phpsuexec is far more secure than non-phpsuexec and your assertions otherwise are completely ludicrous. Give us something concrete if you can actually back up what you're saying; I suspect you can't - it's not surprising that you're the only one I've ever heard make these claims.

Specifically in a shared hosting environment, phpsuexec is more secure because:

  • accounts don't have access to each other's files (just a small thing);
  • spam generated by php scripts is actually traceable to accounts;
  • it's easier to track down runaway/heavy cpu use scripts by account;
  • it's easier to track down accounts using a lot of cpu generally over a bunch of scripts.

It may have escaped your attention that these are not minor advantages!!! These advantages are systemic and major. So much so that in fact, they can make the difference between having a manageable and stable server and having an out-of-control server.

(Incidentally, I know more ways to hack and exploit a server running
phpSuExec than a server not running phpSuExec so I'm not particularily
fond of phpSuExec myself in it's current form but hopefully PHP will
wake up and come up with a better design for it).
Sure you do. :rolleyes: And most of them would probably involve poorly written scripts. I don't think this is news to anyone.

Less sarcastically, I too also hope that phpsuexec's successor, suphp, will end up in cpanel. phpsuexec breaks PHP_AUTH_USER and PHP_AUTH_PW which makes it hard to run some scripts.

Oh - and out of interest, are you a member of the black hat community? You seem to know a lot of ways to hack servers!
 

kris1351

Well-Known Member
Apr 18, 2003
961
0
166
Lewisville, Tx
Everyone says that phpsuexec and eaccelerator do not work, is this a known fact? I installed eaccelerator and php -v shows the following, but nothing is ever written into the /tmp/eaccel folder. Just wondering if it is truly working or just reporting that it should be.

PHP 4.4.2 (cli) (built: Apr 15 2006 00:14:01)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
with eAccelerator v0.9.4, Copyright (c) 2004-2005 eAccelerator, by eAccelerator
with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, by Zend Technologies
with Zend Optimizer v2.6.2, Copyright (c) 1998-2006, by Zend Technologies
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
I've never got it working. IIRC it says it won't on their site.

Check the output on both php binaries:

/usr/bin/php -v

/usr/local/bin/php -v

The one that's (cgi) may well not show eAccelerator and even if it does, as you say, nothing ever gets into the /tmp folder.
 

kris1351

Well-Known Member
Apr 18, 2003
961
0
166
Lewisville, Tx
Both show zend with eAccelerator installed, nothing is written to the /tmp/eaccel file though. I have it set in the php.ini and chmod 077.

[email protected] [~]# /usr/bin/php -v
PHP 4.4.2 (cgi) (built: Apr 15 2006 00:15:38)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
with eAccelerator v0.9.4, Copyright (c) 2004-2005 eAccelerator, by eAccelerator
with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, by Zend Technologies
with Zend Optimizer v2.6.2, Copyright (c) 1998-2006, by Zend Technologies
[email protected] [~]# /usr/local/bin/php -v
PHP 4.4.2 (cli) (built: Apr 15 2006 00:14:01)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
with eAccelerator v0.9.4, Copyright (c) 2004-2005 eAccelerator, by eAccelerator
with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, by Zend Technologies
with Zend Optimizer v2.6.2, Copyright (c) 1998-2006, by Zend Technologies
[email protected] [~]#
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
I assume eAccelerator works by caching compiled PHP code, or something similar, right?

When you run phpsuexec, it forces PHP to run as a CGI, which means that every time PHP runs the PHP binary is called from disk and run. As an alternative to phpsuexec you can also run PHP as a module in Apache. As far as I know, all known acceleration products work only with PHP running as a module in Apache.

This is sad, but it's kind of a limitation forced on us by the way Unix/Linux works - it's difficult to get a process to run under a separate user-id without starting a new process. For other than very large sites, phpsuexec is immensely valuable (separate userid means you can track email and CPU usage and have better security on shared servers). Large sites typically have their own dedicated server and thus can run PHP as a module, and use things like eAccelerator to great effect.

When you look at the output of PHP, and it includes an eAccelerator line, all it means is that eAccelerator is compiled into PHP. At runtime however it won't work as it requires PHP to run as a module within Apache.

Hope this helps! Somebody correct me if I've made an error of fact!
 

jackie46

BANNED
Jul 25, 2005
536
0
166
nothsa said:
Quick update:

I removed phpsuexec, installed eaccelerator and I couldn't be happier. Loads have dropped from as high as 50.0 down to a max of 3.0 at peak times. Context switches are down from 2500-4500 to a max of 1500 and overall website speed is blazing :)

Keep in mind that most of you won't see these kinds of results as this is a high traffic server. Also keep all of sparek-3's comments in mind. This works well for my situation, but I would recommend using phpsuexec in a shared environment.
He's a tip for you. Try installing APC. Its faster than eaccelerator! :)
 

kris1351

Well-Known Member
Apr 18, 2003
961
0
166
Lewisville, Tx
Thanks Brian- I am in that limbo period where we moved to phpsuexec 6 months ago and for me it has done nothing but increase server loads. We maintain and watch our servers 24/7 so the extra few minutes finding a hacked customer usually wasn't that big of a deal for us. The going from 0.50 to 1.50 loads on servers that no additional customers were added to is a concern though.
 

jackie46

BANNED
Jul 25, 2005
536
0
166
Another thing to consider. For those who want to remove phpsuexec or have never installed in the first place, consider a bunch of your files are owned by nobody. This in inself is important enough to warrant upgrading to phpsuexec. Users who are uploading files via a forums, avatars and 3rd party applications such as gallerlies which are very popular these days usually upload gigs of files via these applications. You guesseed it. Those files are owned by nobody. Not only is that annoying in some cases where avatars dont show sometimes, users have the ability to upload MORE files to their website than their plans allow because its not added to quota.

When we upgraded to phpsuexec, we did a search for all files in the /home directory owned by nobody. There are tons of them. It took us many hours to chown them to user:user and once we did sites owners got a shock of their lives. All of a sudden they were pushing their disk quota because now these files were actually being caculated in quota whereas before, nobody:nobody files were not.
 

Chew

Well-Known Member
Dec 31, 2003
96
0
156
Maryland
kris1351 said:
Thanks Brian- I am in that limbo period where we moved to phpsuexec 6 months ago and for me it has done nothing but increase server loads. We maintain and watch our servers 24/7 so the extra few minutes finding a hacked customer usually wasn't that big of a deal for us. The going from 0.50 to 1.50 loads on servers that no additional customers were added to is a concern though.
I just recently moved away from phpsuexec and installed eaccellerator, and have seen my load times drop as kris mentioned by almost a full point on a dual xeon 2.8. I've never had an issue with a hacker on our boxes, and just couldn't justify the load times any longer. I have absolutely no regrets.

Chew
 

kris1351

Well-Known Member
Apr 18, 2003
961
0
166
Lewisville, Tx
There are some alternatives to phpsuexec out there is what I have been reading. Possibly there is a better solution so things are calculated properly, but we maintain the sense of security that the program provides.
 

curriertech

Active Member
Jun 25, 2004
37
0
156
03819
Chew said:
I just recently moved away from phpsuexec and installed eaccellerator, and have seen my load times drop as kris mentioned by almost a full point on a dual xeon 2.8. I've never had an issue with a hacker on our boxes, and just couldn't justify the load times any longer. I have absolutely no regrets.

Chew
I did the same, as I mainly host forums on my server and the php execution was my biggest performance problem. Page generation times went from .2 sec. on a good day, to .08 sec. all day long. I do miss the ability to view top and see which account's php is doing what...but the performance increase with eAccelerator outweighs the lack of monitoring in my situation. :)