PHPSuExec

A Brief Overview on File Permissions

0400 read by user
0200 write by user
0100 execute by user

0040 read by group
0020 write by group
0010 execute by group

0004 read by world
0002 write by world
0001 execute by world

By adding the permissions together, you will come up with the number that corresponds to the permission. For example, 400+200+100+40+20+10+4+2+1=777 - read/write/execute by user/group/world.

What is PHPSuexec?

PHPSuexec is the shortened term often used to describe running PHP as a CGI with Suexec. Running PHP as a CGI with Suexec creates a much more secure environment compared to running PHP as an Apache module. Below we will describe the differences in the two forms of PHP, with examples on how security differs with the two.

PHP as an Apache Module

When PHP runs as an Apache module, PHP files work under the Apache user/group known as "nobody". For example, when a PHP file needs to write to another file or create/remove a file, it does so under the name "nobody". In order to allow "nobody" to do this, you need to set specific permissions on the file/directory, such as 777 - which translates to read/write/execute by user/group/world. This is insecure because you have not only allowed the webserver (Apache) to read/write to the file, you have also allowed everyone else on the server to read/write to the file as well!

Due to the above conditions, when a PHP file creates or uploads a new file under your account, the new file will be owned by the user "nobody". If you FTP into your account, all files owned by "nobody" will not be available for you to move, rename or delete. In this case the only way to remove the "nobody" owned files would be through a file on the server or to contact support and ask for the file ownership to be changed back to your username.

PHP as a CGI with Suexec

When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function, now they will require strict permissions. Setting your directories or PHP files to 777 will cause them to produce a 500 Internal Server Error, this happens to protect your PHP files from being abused by outside sources.

Under PHPSuexec your directories and PHP files can have permissions no greater than 755 (read/write/execute by your username, read/execute by group/world). Since you own your files, your scripts can function in any directory your user has created and can't be manipulated by any outside users, including "nobody".

Now, when a PHP file creates or uploads a new file under your account, the new file will be owned by your username. You will no longer have to worry about the webserver taking over your files and even more important, you will no longer have to worry about a stranger reading or writing to your files either!

.htaccess

When PHP runs as an Apache module you are able to manipulate PHP using .htaccess - since .htaccess is an Apache feature. When PHP runs as a CGI, you can no longer do this because Apache no longer understand the PHP flags and values. Instead, when PHP runs as a CGI, you will need to create your own PHP initialization file, this file is called php.ini -- php.ini works almost the same as .htaccess -- it is simply a text file with directives that will be used instead of the servers default directives.

To give you a better understanding about how both work in regards to PHP, we have listed a .htaccess file and a php.ini file below.

.htaccess
php_value magic_quotes_gpc on

php.ini
magic_quotes_gpc = on

There is one main difference to the use of .htaccess vs php.ini -- a .htaccess file can be placed at the root directory and effect all subdirectories with just 1 file, php.ini does not work this way. A php.ini file needs to be placed in every directory and subdirectory that requires the altered directives. This is a downfall for using PHPSuexec, however we hope that in the future PHP can be written to handle the php.ini file in a more workable fashion.

Last but not least, there is a directive used in .htaccess that needs to be altered in order to work under PHPSuexec. The directive ForceType needs to be changed to SetHandler. For example:

PHP as an Apache Module .htaccess Style

ForceType application/x-httpd-php


PHP as a CGI with Suexec .htaccess Style

SetHandler application/x-httpd-php


It is important to understand that you can still use .htaccess for a variety of Apache functions, such as mod_rewrite directives, password protection directives, etc. The only difference is that it can no longer process PHP directives.

Common Problems experienced with PHPSuexec If your PHP scripts are reporting 500 Internal Server errors, please check the following:

* Make sure the directory permissions the PHP file is in are no greater than 755

* Make sure the PHP file permissions are no greater than 755 - 644 is the default permissions for files uploaded by FTP and will work fine for most PHP files.

* Make sure you do not have any .htaccess files which contain PHP flags/values or ForceType directives. These directives need to be handled differently, as explained above. Courtesy of hostmagik

Author: Eko Junaedy

Rate this article

How Helpful was this article to you?

• Currently 1.75/5
• 1
• 2
• 3
• 4
• 5

Comments

There are no comments

Add a comment

Name:

E-mail:

Comment

Enter the code: