rmj

Member
Feb 20, 2003
17
0
151
suPHP seems to be maturing quite nicely. I was wondering if cPanel is considering or planning as adding it as an option as an option vs phpsuexec.

Any discussion is welcome as well.

For those of you who are unaware what I am talking about, the website can be located here

http://www.suphp.org


Thanks in advance.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
You'd have to ask cPanel directly. Since phpsuexec is providing the protection/options required at present I wouldn't have thought they'd be looking at alternatives, but you never know.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
According to a programmer at ModernBill, phpsuexec reached it End of Life (EOL) in 2004, and he reckons that suphp is better anyway (don't ask me why) ..... It seems to me that it would be good at least to have the version that had not reached its end of life and is still being developed (i.e. suphp) available in cPanel - as an option.

Any comments or experiences with suphp v phpsuexec?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
cPanel have said that they'll continue to support phpsuexec for as long as it's needed in the apache v1.3 environment themselves. I'm not aware of any specific bugs in phpsuexec, so there doesn't seem to be a particular need to recode away from it, IMO. The only major "feature" when using phpsuexec is with HTTP_AUTH environment variables, but there are workarounds for that.

Of course, ideally, the php developers would pull their fingers out and develop a security model of their own for shared hosting environments which have got to be a major proportion of the users of php, but I haven't seen any indication that they're going to address that failing.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
Of course, ideally, the php developers would pull their fingers out and develop a security model of their own for shared hosting environments
I hear you and heartily concur since this would happen to suit my purpose.

However I guess it's also the case that server security ideally should not be so reliant on PHP-level solutions, whether produced by the PHP team or 3rd parties. I think virtual 'shared' hosting and the way it seems to have evolved is simply not ideal. (most probably you know this from experience better than me anyway Chirpy). :)

I personally wasn't disputing the stability or usability of phpsuexec, I currently use it on all my servers. I was just concerned about future-ability, and also like the thread starter, whether there were any comments forthcoming regarding the merits of suphp v phpsuexec.
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
suPHP does have some features that I do like over phpSuExec. However, you also need to do a lot of patching and fixing of the suPHP code to really get it to work. I am testing a suPHP set up on one of our newer servers to see if there are any issues. The main feature in suPHP that I really like is the ability to add a suPHP_ConfigPath to a VirtualHost entry in the httpd.conf file. This means that you as a server administrator can control custom php.ini directives per account. The phpSuExec solution is to read the php.ini file that is in the same directory as the PHP script. This can be a hassle if you have one account that wants to have register_globals enabled on their account, but you do not want to enable it server-wide. With phpSuExec, you have to include a customized php.ini file that has register_globals enabled and place that file in every directory on the account. With suPHP, you simply create one instance of the modified php.ini file and then use a suPHP_ConfigPath directive in the httpd.conf file and then all requests for that VirtualHost use that customized php.ini file.

However, the main issue involving using suPHP is the fact that you have to include the suPHP_UserGroup directive for each VirtualHost. You can accomplish this by editing the default VirtualHost template, but this will be overwritten whenever you update CPanel. Ultimately I think there needs to be some degree of allowing a customizable VirtualHost template, so that suPHP will automatically work on new accounts.

There is a Bugzilla enhancement request for this (Customizable VirtualHost Templates) at:

http://bugzilla.cpanel.net/show_bug.cgi?id=3209

Unless the CPanel developers want to incorporate some of suPHP functionality into phpSuExec, then I would think that allowing Customizable VirtualHost Templates would be the first step needed to really start any type of community involvement with CPanel and suPHP.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
yes, I really WOULD love to be able to more easily configure on a per domain / virtual host basis. I wonder why phpsuexec was ever designed with such an awkward php.ini system :confused:, especially when contrasted with the realtive elegance of php_value or php_admin_value of mod_php ... bah.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
There is also a Bugzilla enhancement request for a better php.ini solution when using phpSuExec. The request is at:

http://bugzilla.cpanel.net/show_bug.cgi?id=3756

Concerning the use of php_flag directives in the .htaccess file. This really isn't possible when using PHP as CGI, such as the case when using phpSuExec or suPHP. This is because the .htaccess file is part of the Apache model and when you run PHP as CGI, the PHP code is not executed under the Apache model, so it does not recognize the .htaccess file.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
Thanks for the bugzilla link.

sparek-3 said:
Concerning the use of php_flag directives in the .htaccess file. This really isn't possible when using PHP as CGI, such as the case when using phpSuExec or suPHP. This is because the .htaccess file is part of the Apache model and when you run PHP as CGI, the PHP code is not executed under the Apache model, so it does not recognize the .htaccess file.
I already knew that, i was just referring to the contrast in methods, i.e the relative simplicity of one file (.htaccess) heirachically affecting all lower directories etc.