Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

suPHP and PHP as an Apache module!?!

Discussion in 'EasyApache' started by TheRaven, Dec 3, 2007.

  1. TheRaven

    TheRaven Member

    Jan 30, 2004
    Likes Received:
    Trophy Points:
    It has been my understanding that cpanel requires PHP to be CGI and not an Apache module in order for suphp to function. This article appears to refute that. I'm on the fence anxiously awaiting and hoping that it's true :)

  2. brianoz

    brianoz Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'm almost certain suphp would have to run as CGI in order to switch users. I think it's as simple as that.

    Interested to hear what others have to say ...
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sparek-3

    sparek-3 Well-Known Member

    Aug 10, 2002
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    You could do this. I have actually done a set up like this before. This was before I was advised not to do so out of security concerns.

    I can't say as if I ever saw a complete proof of concept, but from what I read on some blogs and mailing lists, running something like this is insecure. Basically, a VirtualHost that is running PHP as Apache (i.e. executing PHP scripts as the nobody user) would technically be able to execute the suphp binary and run code as any user on the server.

    I suppose you could secure your suphp set up a little bit and depending on how you have this set up, it might only allow you to run PHP code that the other user has already written or uploaded to their account (if the scripts have to be owned by the user that is executing the script).

    The example I seem to recall was that user1 could send an e-mail message to user2 on the same server that contains PHP code. This PHP code would then be delivered to user2's mailbox, and owned by user2. user1 which is running PHP as an Apache module, could then create a PHP script to directly access the suphp binary and execute that mail file on user2's account and run malicious code as user2. Like I said, I'm not really sure if it would work this way or not, but it does seem to make sense.

    All of this was enough to make me change all of our accounts to using suphp instead of just a select few.

    All-in-all, it is my opinion that it is just better if you pick one set up and stay with it. If you want to run PHP as Apache, do it for all accounts. If you want to run PHP as CGI, do it for all accounts. I think that if you mix the two, regardless if the set up I described above actually work, to me there's just too much cause for concern.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice