Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SuPHP and SuExec - pros and cons

Discussion in 'General Discussion' started by mambovince, Jun 22, 2008.

  1. mambovince

    mambovince Well-Known Member

    Jan 15, 2005
    Likes Received:
    Trophy Points:
    London, UK
    Does anyone know of a definitive guide for hosters in regards to the pros and cons of using "SuPHP" and "SuExec" ?

    Many thanks,

    - Vince
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. mtindor

    mtindor Well-Known Member

    Sep 14, 2004
    Likes Received:
    Trophy Points:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'm sure somebody has created a fairly definitive guide. And I"m also sure that if you search these forums you will find some very useful information on the subject. Here are just a few.

    PROS for SuEXEC / SuPHP

    1. Security!

    With SuEXEC / SuPHP enabled, all scripts are run as the user. If you have a website that gets hacked and the hacker uploads a script, that script is going to run as the user (and thus will have a likely limited scope). This doesn't guarantee that the total server can't be compromised, but it sure helps.

    2. Ability to easily tell what users' web applications are using up system resources.

    CONS for SuEXEC / SuPHP

    1. PHP and CGI scripts as well as directories are going to need to have different permissions set for them.

    On a server with a lot of sites, it's inevitable that you encounter a few problems where website scripts haven't been changed to the appropriate permissions and thus will not run... Contents of the users web directory must be recursively chowned to user:user. PHP scripts needs to be chmod 644 or less. CGI scripts need to be chmod 755 or less. Directories need to be chmod 755 or less.

    I think on Cpanel there are mechanisms in place to automatically do a lot of this work during a transition to SuEXEC/SuPHP (see another post made days ago by someone on the subject).

    2. Performance on a server degrades. Any time you have to feed anything through SuEXEC / SuPHP, there is a performance hit. If you have a beefy machine with dual Xeons, fast hard drives, reasonable memory, and a few hundred sites that have "typical" resource use, you may never notice a performance hit. If you're running a hundred sites, many with PHP or CGIs, on a server with a Pentium 4 and a Gig of memory, you're going to definitely see performance hits.

    I'm sure there is a lot more to think of. But personally I believe that any shared hosting server should be running SuEXEC and SuPHP - and that if your server doesn't have the guts to handle the potential increased performance hit, then you should upgrade the hardware rather than decide against enabling SuEXEC / SuPHP.

    Also - unrelated to SuPHP and SuEXEC directly, but nevertheless important, is the use of mod_security and a good ruleset for mod_security. Also, make sure you have a good firewall (like a combo of APF / BFD or even better, CSF). If you're going to go through the trouble of worrying about security and enabling SuEXEC and SuPHP, then you certainly want to make sure that you protect your server further. SuPHP and SuEXEC are just a good part of a server-wide security solution.

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 mtindor, Jun 22, 2008
    Last edited: Jun 22, 2008

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice