PhpSuexec - what do I need to know?

[AlexP]

------------------------------------------------------------------------------------------------------

The Golden Rules To Which You Must Adhere

-------------------------------------------------------------------------------------------------------

1. Ensure script permissions are correct. Any script that is world-writable (i.e. permissions with 0777) will not execute. Neither will they execute from a directory that has such permissions.The maximum workable permissions are 0755 for both directories and scripts

2. Ensure ownership of files are correct. Directories (not including the public_html directory) and files must be owned by user:user not nobody:nobody. In general most scripts would be already owned by user:user, however files created

3. Ensure that scripts are uploaded in ASCII and not BINARY mode when transferring files by ftp. If in doubt, delete and re upload - this one generally gives you a 'premature end of headers' type error.

4. If you are using .htaccess with a php_value or a php_flag entry within it, you will receive an error when attempting to access the scripts. Apache will not recognise these commands and produce an error page.

All PHP values should be removed from your .htaccess files to avoid any complications. Adding a php.ini file in its place will solve this issue.

For example, if you previously had this setting in your directories .htaccess file:

php_value some_directive On

then remove it from the .htaccess file.

Now create and add in this to your new php.ini file:

some_directive=On

and place the php.ini file in the same directory.


Technical Limitations

1. The $PATH_INFO, and $PHP_SELF variable within PHP does not function. What this is used for usually is to make search engine friendly' URL's such as in OSCommerce. It

modifies the URL of links that uses a method incompatible with phpSuexec. You can try replacing your code:


$PHP_SELF = $REQUEST_URI

or

$url = sprintf("%s%s%s","http://",$HTTP_HOST,$REQUEST_URI);


2. The PHP function getallheaders() does not work - this requires PHP to be installed as a module, directly within apache.

3. PHP directives in .htaccess are not allowed. You would get an internal server error if you try.

4. If you use Movable Type, Movable type may not work when rebuilding the site within a phpSuexec environment.Essentially, what this means is that after you make a

posting in your blog, your site stops functioning. This is because movable type re-creates the files with the wrong permissions. There's a way to get around this - simply find

the mt.cfg file and look for the following lines:

#HTMLPerms 0777

#UploadPerms 0777

Remove the # signs in the beginning of the lines, save your file, and try to re-generate your site again. All should be functional at this point.

These are the benefits of PHP suexec:

1. All php scripts will run as the script owner. In the past they run under the user of Apache (nobody). This can lead to delays in tracking down any errant scripts. With this new addition, we can better react to problems and resolve them faster for you.

2. Another implication of the first benefit is that spammers will no longer be able to send out emails without imprinting their user id on the mails. This will hasten the tracking and shutting down of any and all spammers.

3. One of the issues in the past has been that all files uploaded via PHP end up being owned by the Apache (nobody) user. This prevents the user from manipulating the file or
in some cases may even lock out the owner from doing anything to the file. Now, with this change, all files uploaded will be set to the right owner.

4. It was possible in the old system to make a directory/file in the /tmp folder that was owned by the Apache (nobody) user. With the switch, it's now stamped with their username and group ID. It makes it easier to track abuses and abusers.

[Rock]

Very nice post Alex..!!! I hope this starts a new revolution into server security management...
PHPSuExec workout is all well explained & in a simple but clearer manner..

[eUKhost.com]

Quote:

Originally Posted by Rock

Very nice post Alex..!!! I hope this starts a new revolution into server security management...
PHPSuExec workout is all well explained & in a simple but clearer manner..

indeed

I hope people read what he has explained as most of us try to avoid reading long articles and that is where people fail to improve their technical knowledge.

[Pandacoder]

Hi,

You say that the $PHP_SELF variable will no longer work, is $_SERVER['PHP_SELF'] affected in the same way?

I use $_SERVER['PHP_SELF'] in many of my scripts, not $PHP_SELF, are they the same var?

[AlexP]

Yes, $_SERVER[’PHP_SELF’] ,$PHP_SELF variable within PHP does not work,You can try replacing your code:
$PHP_SELF = $REQUEST_URI

or

$url = sprintf("%s%s%s","http://",$HTTP_HOST,$REQUEST_URI);

It will work .

[Site]

Very good and worthwhile post

[Pandacoder]

yes indeed, so now we know what PhpSuexec does and what we should bear in mind once PhpSuexec is enabled, I think we need some good, clear, step-by-step instructions showing how to actually enable (and disable) PhpSuexec.

Then we can try it out for ourselves and put it to good use!

Thanks for all the help and pointers.

[AlexP]

You have to recompile apache/php with mod_suphp and suexec module , If cpanel is installed on your server then please run ./scripts/easyapache script to recompile apache/php