The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHATIS: PHP SuExec

Discussion in 'General Discussion' started by Gammasoft, Jul 17, 2003.

  1. Gammasoft

    Gammasoft Member

    Joined:
    Nov 22, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    PHP SuExec compiles PHP not as an Apache module (via APXS) or a Dynamic Shared Object (DSO) but as a CGI module. The advantages are as follows:

    - PHP is run using the user that is owned by the website, thus the user cannot use PHP to make arbitary commands or use the PHP exec command / shell exec command etc. to undermine your system, aka, crack into your system and generally cause havoc.

    - You can trace which user is causing the highest server load to the server at that time.

    However there are numerous disadvantages:

    - PHP is optimised for use with an Apache Module

    - The CGI Specification based module is on average 10-15% slower than Apache Modules

    - You will not have access to all Apache commands from PHP

    - CGI is also very unsecure, please read this document to see why: http://www.cert.org/advisories/CA-1996-11.html

    - The CGI Version of PHP is very very unsecure in other ways, but can be patched, but requires a lot of work on your part, including following this advice: http://www.php.net/manual/en/security.cgi-bin.php

    I hope this answers some questions, and also persuades many not to use SuExec with PHP. I hope to see a lot of ./scripts/easyapache running in the next few days... :p

    cPanel.net Support Ticket Number:
     
  2. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    I think you maybe misunderstanding the way in which the php suexec patch is implented as not all of them apply in this situation or can be worked around

    Well i would agree that you cannot use php commands such as the php_flag etc in httpd.conf or in .htaccess however you can use them in php.ini (w/o the in either the default php.ini dir or where a php script is being run

    this is really a general problem with stuff in cgi-bin and does not really apply to phpsuexec since it does not require stuff in the cgi-bin

    What security issues would you be thinking of? if your using the php binary in your public_html dir then you are hopefully already aware of the risks?

    Well i would agree that phpsuexec is not be slapped on w/o though however with careful planning and knowledge of limitations (e.g. no php_ in httpd.conf or .htaccess unable to use php_auth_user ) then it can be useful

    cPanel.net Support Ticket Number:
     
  3. Gammasoft

    Gammasoft Member

    Joined:
    Nov 22, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    phpsuexec requires you to place the PHP script interpreter in the cgi bin, with the users permissions, otherwise, how does it work?

    cPanel.net Support Ticket Number:
     
  4. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    it does not require you to have it in the users cgi-bin

    its basically a patch to /usr/local/apache/bin/suexec which extends the same protection and restrictions as for perl scripts (w/o mod_perl) (such as running it under the user which owns the file, but the file must not be group/world writable etc) then and only after its sucessfuly met all criteria its invokes the php binary which cpanel's easyapache installs at /usr/bin/php to process the php script in question (so you don't need need a #!/usr/bin/php at the top of each php script)

    cPanel.net Support Ticket Number:
     
  5. carlgm

    carlgm Well-Known Member

    Joined:
    Mar 25, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    This has neither been confirmed or denied. Does php_admin_value open_base_dir work with phpsuexec? Tweak Security -> open base dir -> enable ?

    cPanel.net Support Ticket Number:
     
  6. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    no php_ stuff doesn't work with the aforementioned patch since the hooks provided by mod_php are no longer there so therefore apache no longer has anything to work with (indeed apache will refuse to start if you have php_ stuff in your httpd.conf & no mod_php modules loaded)

    You will need to work with php.ini's to set php options (e.g. just open_basedir w/o the php_ in front of it)

    cPanel.net Support Ticket Number:
     
  7. Gammasoft

    Gammasoft Member

    Joined:
    Nov 22, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    That's what I meant. Has to be in the user's cgi-bin means, it has to be using the user's cgi-binary of php. Thus it is using CGI, so all my statements were true.

    cPanel.net Support Ticket Number:
     
  8. pfmartin

    pfmartin Well-Known Member

    Joined:
    Aug 18, 2001
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    I completely disagree with this post. PHP as a CGI is the most secure form of PHP you can use. Please don't let anybody scare you into not using something, especially when it pertains the security. Check the facts first. The "facts" posted here are erronreous. Sorry gamma... I know you have good intentions, but I don't agree with you.

    Using php as CGI does NOT mean each user needs a copy of the php binary in their cgi-bin. Do you have a copy of the perl binary in each users' cgi-bin ?? I don't think so... :)

    cPanel.net Support Ticket Number:
     
    #8 pfmartin, Aug 15, 2003
    Last edited: Aug 15, 2003
Loading...

Share This Page