The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suPHP and PHP as an Apache module!?!

Discussion in 'EasyApache' started by TheRaven, Dec 3, 2007.

  1. TheRaven

    TheRaven Member

    Joined:
    Jan 30, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    It has been my understanding that cpanel requires PHP to be CGI and not an Apache module in order for suphp to function. This article appears to refute that. I'm on the fence anxiously awaiting and hoping that it's true :)

     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'm almost certain suphp would have to run as CGI in order to switch users. I think it's as simple as that.

    Interested to hear what others have to say ...
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You could do this. I have actually done a set up like this before. This was before I was advised not to do so out of security concerns.

    I can't say as if I ever saw a complete proof of concept, but from what I read on some blogs and mailing lists, running something like this is insecure. Basically, a VirtualHost that is running PHP as Apache (i.e. executing PHP scripts as the nobody user) would technically be able to execute the suphp binary and run code as any user on the server.

    I suppose you could secure your suphp set up a little bit and depending on how you have this set up, it might only allow you to run PHP code that the other user has already written or uploaded to their account (if the scripts have to be owned by the user that is executing the script).

    The example I seem to recall was that user1 could send an e-mail message to user2 on the same server that contains PHP code. This PHP code would then be delivered to user2's mailbox, and owned by user2. user1 which is running PHP as an Apache module, could then create a PHP script to directly access the suphp binary and execute that mail file on user2's account and run malicious code as user2. Like I said, I'm not really sure if it would work this way or not, but it does seem to make sense.

    All of this was enough to make me change all of our accounts to using suphp instead of just a select few.

    All-in-all, it is my opinion that it is just better if you pick one set up and stay with it. If you want to run PHP as Apache, do it for all accounts. If you want to run PHP as CGI, do it for all accounts. I think that if you mix the two, regardless if the set up I described above actually work, to me there's just too much cause for concern.
     
Loading...

Share This Page