The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpsuexec on dedicated server. Any advantages?

Discussion in 'General Discussion' started by nothsa, Apr 6, 2006.

  1. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    I am managing a high-traffic server for a client (1.5TB+/month, almost all web traffic). The server only has 3 sites on it and there are only 2 people other than myself that manage the sites. I am the only one with shell access.

    Currently I'm running PHPsuexec but I'm wanting to increase the speed of the PHP processing. In this situation, is there any major advantage to me having PHPsuexec installed? I would prefer to remove it and use some kind of PHP caching like eAccelerator to speed up execution.

    All comments welcome :)
     
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Why dont look at getting a faster processor and or more memory? Moving away from phpsuexec is really not going to give you that much of a performance boost alone, adding accelerator might. So your willing to sacrafice security for speed? You can always speed up the box by getting a faster processor and removing resource hogs such as SPAMD, URCHIN to name but a few, you should never sacrafice security over anything. Granted you have very few users but thats beside the point. What about malicious users visiting the site? Those are mainly your culprits, not existing users on the server.
     
  3. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Because it'll cost more? Why not try to tweak the performance instead of laying out money for new hardware, not to mention the time/monty of moving to a new server. New hardware should only be an option after all tweaking avenues have been exhausted.

    The only reason I want to move away from phpsuexec is so that I CAN use eaccelerator. You can't use it with phpsuexec enabled.

    My point was that there won't be a big security sacrifice as it's a tightly controlled server, which is why I said "In this situation".

    I have already removed all non-used services and tweaked the hell out of Apache and MySQL. The last thing that is using up a lot of resources is the PHP execution, which I believe would be solved by adding eaccelerator as this server is getting 100-200 Apache/PHP hits per seconds, so caching pages would be a big help.

    Agreed, but such problems are far easier to track down with only 3 sites.
     
  4. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    That's what I was hoping :) . Out of the 3 sites, one doesn't run PHP scripts and the second only has two scripts. If there are any exploits then it'll probably be the third site which should make it even easier to track down.

    Thanks for the help.


    [EDIT]This is a response to sparek-3's post. For some reason it has been posted above his reply.[/EDIT]
     
    #4 nothsa, Apr 7, 2006
    Last edited: Apr 7, 2006
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    As long as you keep any scripts or programs that are web-accessible up-to-date, then I don't think running PHP as an Apache module would be that bad. The main reason for running PHPSuExec is so that admininstrators can more easily track down abusive websites and/or scripts. It also prevents the need for open directories that are using permissions of 777 for file uploads. These are all advantages and reasons for using PHPSuExec.

    However, as you have said this is a dedicated server with only 3 accounts. As long as you monitor those accounts and are satisfied with your current security measures then I don't think PHPSuExec is as necessary as it is in a complete shared hosting environment. The downside to this, is that if one of your scripts is exploited and used to send spam or otherwise launch a malicious attack, you may have a more difficult time finding the script that was exploited. However, one thing is for certain, you will know that it is on one of those 3 accounts on the server.

    With a shared hosting environment, the same issue may come up, but instead of 3 accounts, you are looking at 200 to 300 accounts and much more difficult to determine the offending account. Also, in the shared hosting environment, end-users are less likely to keep security as a top priority, and are less likely to keep scripts up-to-date.

    I'm not really saying that disabling PHPSuExec is a good idea, it just really depends on how confident you are in your administrative abilities and how well you monitor the accounts and their security. If you think that the measurements you have in place are good enough, then disabling PHPSuExec may offer you the performance increase you desire. The usage of PHPSuExec is really a weighing option between overall security and overall performance.
     
  6. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Quick update:

    I removed phpsuexec, installed eaccelerator and I couldn't be happier. Loads have dropped from as high as 50.0 down to a max of 3.0 at peak times. Context switches are down from 2500-4500 to a max of 1500 and overall website speed is blazing :)

    Keep in mind that most of you won't see these kinds of results as this is a high traffic server. Also keep all of sparek-3's comments in mind. This works well for my situation, but I would recommend using phpsuexec in a shared environment.
     
  7. aridha

    aridha Registered

    Joined:
    Jan 29, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    PHP:
    I removed phpsuexec
    could you pleas tell me how to remove it.
    i was looking for that many places without result.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Nothsa, while I think of it, thanks for posting the update. It was really enlightening to see that sort of performance increase and it was good to see it being put into perspective (so many people get a performance boost like that then go and pull phpsuexec off every server, not realizing that they're all different).

    Cheers! ;)
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    That's not entirely an accurate statement ...

    Most people assume that phpSuExec is more secure than running without it
    but the reality of it is that it is actually far LESS secure than no phpSuExec.

    There is pros and cons to both not having phpSuExec and having it so
    it's really a matter of what your needs are and what security risks you
    are willing to accept because there are very substantial security risks
    in both. phpSuExec has some very bad security problems that don't
    exist in non-phpSuExec installations and vice versa.

    (Incidentally, I know more ways to hack and exploit a server running
    phpSuExec than a server not running phpSuExec so I'm not particularily
    fond of phpSuExec myself in it's current form but hopefully PHP will
    wake up and come up with a better design for it).
     
    #9 Spiral, May 9, 2006
    Last edited: May 9, 2006
  10. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    *Sigh* If you're so convinced that phpsuexec has bad security problems, then what are they?

    phpsuexec is far more secure than non-phpsuexec and your assertions otherwise are completely ludicrous. Give us something concrete if you can actually back up what you're saying; I suspect you can't - it's not surprising that you're the only one I've ever heard make these claims.

    Specifically in a shared hosting environment, phpsuexec is more secure because:

    • accounts don't have access to each other's files (just a small thing);
    • spam generated by php scripts is actually traceable to accounts;
    • it's easier to track down runaway/heavy cpu use scripts by account;
    • it's easier to track down accounts using a lot of cpu generally over a bunch of scripts.

    It may have escaped your attention that these are not minor advantages!!! These advantages are systemic and major. So much so that in fact, they can make the difference between having a manageable and stable server and having an out-of-control server.

    Sure you do. :rolleyes: And most of them would probably involve poorly written scripts. I don't think this is news to anyone.

    Less sarcastically, I too also hope that phpsuexec's successor, suphp, will end up in cpanel. phpsuexec breaks PHP_AUTH_USER and PHP_AUTH_PW which makes it hard to run some scripts.

    Oh - and out of interest, are you a member of the black hat community? You seem to know a lot of ways to hack servers!
     
  11. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Everyone says that phpsuexec and eaccelerator do not work, is this a known fact? I installed eaccelerator and php -v shows the following, but nothing is ever written into the /tmp/eaccel folder. Just wondering if it is truly working or just reporting that it should be.

    PHP 4.4.2 (cli) (built: Apr 15 2006 00:14:01)
    Copyright (c) 1997-2006 The PHP Group
    Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with eAccelerator v0.9.4, Copyright (c) 2004-2005 eAccelerator, by eAccelerator
    with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, by Zend Technologies
    with Zend Optimizer v2.6.2, Copyright (c) 1998-2006, by Zend Technologies
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've never got it working. IIRC it says it won't on their site.

    Check the output on both php binaries:

    /usr/bin/php -v

    /usr/local/bin/php -v

    The one that's (cgi) may well not show eAccelerator and even if it does, as you say, nothing ever gets into the /tmp folder.
     
  13. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Both show zend with eAccelerator installed, nothing is written to the /tmp/eaccel file though. I have it set in the php.ini and chmod 077.

    root@dalc1-cp05 [~]# /usr/bin/php -v
    PHP 4.4.2 (cgi) (built: Apr 15 2006 00:15:38)
    Copyright (c) 1997-2006 The PHP Group
    Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with eAccelerator v0.9.4, Copyright (c) 2004-2005 eAccelerator, by eAccelerator
    with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, by Zend Technologies
    with Zend Optimizer v2.6.2, Copyright (c) 1998-2006, by Zend Technologies
    root@dalc1-cp05 [~]# /usr/local/bin/php -v
    PHP 4.4.2 (cli) (built: Apr 15 2006 00:14:01)
    Copyright (c) 1997-2006 The PHP Group
    Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with eAccelerator v0.9.4, Copyright (c) 2004-2005 eAccelerator, by eAccelerator
    with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, by Zend Technologies
    with Zend Optimizer v2.6.2, Copyright (c) 1998-2006, by Zend Technologies
    root@dalc1-cp05 [~]#
     
  14. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I assume eAccelerator works by caching compiled PHP code, or something similar, right?

    When you run phpsuexec, it forces PHP to run as a CGI, which means that every time PHP runs the PHP binary is called from disk and run. As an alternative to phpsuexec you can also run PHP as a module in Apache. As far as I know, all known acceleration products work only with PHP running as a module in Apache.

    This is sad, but it's kind of a limitation forced on us by the way Unix/Linux works - it's difficult to get a process to run under a separate user-id without starting a new process. For other than very large sites, phpsuexec is immensely valuable (separate userid means you can track email and CPU usage and have better security on shared servers). Large sites typically have their own dedicated server and thus can run PHP as a module, and use things like eAccelerator to great effect.

    When you look at the output of PHP, and it includes an eAccelerator line, all it means is that eAccelerator is compiled into PHP. At runtime however it won't work as it requires PHP to run as a module within Apache.

    Hope this helps! Somebody correct me if I've made an error of fact!
     
  15. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    He's a tip for you. Try installing APC. Its faster than eaccelerator! :)
     
  16. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Thanks Brian- I am in that limbo period where we moved to phpsuexec 6 months ago and for me it has done nothing but increase server loads. We maintain and watch our servers 24/7 so the extra few minutes finding a hacked customer usually wasn't that big of a deal for us. The going from 0.50 to 1.50 loads on servers that no additional customers were added to is a concern though.
     
  17. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Another thing to consider. For those who want to remove phpsuexec or have never installed in the first place, consider a bunch of your files are owned by nobody. This in inself is important enough to warrant upgrading to phpsuexec. Users who are uploading files via a forums, avatars and 3rd party applications such as gallerlies which are very popular these days usually upload gigs of files via these applications. You guesseed it. Those files are owned by nobody. Not only is that annoying in some cases where avatars dont show sometimes, users have the ability to upload MORE files to their website than their plans allow because its not added to quota.

    When we upgraded to phpsuexec, we did a search for all files in the /home directory owned by nobody. There are tons of them. It took us many hours to chown them to user:user and once we did sites owners got a shock of their lives. All of a sudden they were pushing their disk quota because now these files were actually being caculated in quota whereas before, nobody:nobody files were not.
     
  18. Chew

    Chew Well-Known Member

    Joined:
    Dec 31, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maryland
    I just recently moved away from phpsuexec and installed eaccellerator, and have seen my load times drop as kris mentioned by almost a full point on a dual xeon 2.8. I've never had an issue with a hacker on our boxes, and just couldn't justify the load times any longer. I have absolutely no regrets.

    Chew
     
  19. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    There are some alternatives to phpsuexec out there is what I have been reading. Possibly there is a better solution so things are calculated properly, but we maintain the sense of security that the program provides.
     
  20. curriertech

    curriertech Active Member

    Joined:
    Jun 25, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    03819
    I did the same, as I mainly host forums on my server and the php execution was my biggest performance problem. Page generation times went from .2 sec. on a good day, to .08 sec. all day long. I do miss the ability to view top and see which account's php is doing what...but the performance increase with eAccelerator outweighs the lack of monitoring in my situation. :)
     
Loading...

Share This Page