PHPsuexec Information

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • KyleC
    Senior Member
    • Mar 2004
    • 291

    PHPsuexec Information

    This thread contains information regarding some of the basic differences that you may encounter between running php as CGI with suexec and running php as an apache module.

    What is the difference?
    Most sites will not be affected with the change, running php as cgi with suexec. Phpsuexec works in much the same way that cgi (perl scripts etc) with suexec does, all applications being run under your account user name UID/GID, rather than in php's case as an apache module, the user "nobody".

    This simply means that rules that apply to .cgi + .pl files on your current server, apply to php files also - The maximum permissions permitted on directories and .php files is 755. Failing to have have permissions set to a maximum of 755 on php files and their installation paths, will result in a 500 internal server error, when attempting to execute them.

    777 - Do I need directories set to this? My install script says that I do.
    No, you do not need to have directories or files set to 777, even if your installation documents tell you that you do. Permissions of 755 will work in the same way - Scripts owned by your account user UID/GID will be able to write to your files, the same way that they can running under apache with 777 permissions.

    If you have php applications/scripts that have directories set to 777, (required to write to them under php/apache module), they would need to be changed - Also we would need to change ownerships of all files owned by user "nobody" to the user name UID/GID for your account.

    .htaccess
    You cannot manipulate the php.ini settings with .htaccess when running php as cgi/phpsuexec.

    If you are using .htaccess with php_ value_entries within it, you would receive an internal server 500 error when attempting to access the scripts. This is because php is no longer running as an apache module and apache will not handle those directives any longer.

    All php values should be removed from your .htaccess files to avoid this issue. Placing a php.ini file in its place will solve this issue. (Please see below.)

    Default settings, I need Zend Optimizer or php to run with different options than the servers default settings, can I do this?
    The server default settings within the main php.ini do not have Zend Optimizer enabled as per default.

    If you require Zend Optimizer to be installed for your application, or require other options, you would create a plain text file named php.ini with the following within it :-

    Code:
    zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2.1.0
    zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-2.1.0
    zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
    zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so

    You may copy the other variables from the phpinfo page as they appear within it and modify the settings as required for your scripts. Please use this feature to disable default options too, in order to make your scripts more secure - try to ensure that options not required for your application aren't used if they present a security risk to your particular script if known.

    What is a php.ini file and how do I go about making one?
    The php.ini file is a configuration file that the servers looks at to see what options have been turned on, off or set to a number different from the defaults that we have set for the server. While the name may seem advanced to those unfamiliar with it, it's simply a text file with the name php.ini

    To create a php.ini file, just open up a text editor, add in the lines you need and save the file. You can name the file whatever you wish when saving. Once done, upload the file to the directory where the script you're using is being accessed from and then rename it to php.ini

    Quick trouble shooter.....
    HELP my php script doesn't work or I have an error message

    1. Check that the php script that you are attempting to execute has permissions of no more than 755 - 644 will work just fine normally, this is not something that will need to be changed in most cases.

    2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to also.

    3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script.

    The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.

    provided by: bd2003


    my old PHPsuexec FAQ entry
    [QUOTE]suExec is a new security system that is being placed on some hosting services that run Apache servers. Full details can be read on the Apache website. However, this is more for a server administrator.

    Background
    At the moment if you want to run some scripts, ie some forums and CMS, you are required to change the permissions on them to 777 (read/write/execute at user/group/world level). This is not very secure and can allow people to load scripts and run on the entire server. With usEXEC enabled, you will not be able to run files with 777 permissions.

    What does the implementation of this mean for you the user of a hosting service with suEXEC installed on the server? - My thanks to "openbox" from another forum for the information below.

    Once phpsuexec is implemented on your server, you will not be able to have php scripts that are group/world writeable/executable. If you currently have scripts that have permissions set to 755 or higher, then you will need to chmod files to 644 or less. An example shell command to chmod a file is shown below (assuming you have Shell access). More info can be found by man chmod.

    CODE
    chmod 644 scriptname.php


    For phpsuexec to work, all scripts must be accessible in subdirectories. To traverse a directory, you need execute permission on that directory. Therefore, each directory containing php scripts need permissions of 755. The procedure to chmod a directory is the same as a file.

    Generally, you do not have permission to chown files/directories. If you have files/directories that are currently owned by nobody, or any other user, you'll need to submit a request to your host provider to chown the directory/file to your username. Once they have chown'd the file, then you will be able to chmod as appropriate.

    Additionally, with phpsuexec installed, you will no longer be able to have php directives in your .htaccess files. If you have these currently, you'll need to remove them and create a php.ini files with the directives.

    If you have any other specific questions, feel free to ask. [QUOTE]

    osCommerce Info ...
    As a followup to this symptoms of phpsuexec impacting on your website may be seen through either

    Internal Server Error 500

    403 Forbidden Access

    If this is the case and your permissions are set as follows:


    Folders = 755 or lower

    Files = 644 or Lower

    be sure to delete the .htaccess file as detailed above.

    OsCommerce Users:
    There are issues that have occurred with osCommerce sites. These relate to the file permissions of the global_config.php file. This matter has been raised on the osCommerce Forum.

    By completing the directions here, you will be able to alter the permissions as required. This can also be completed via most FTP programs. If you load this file to the server, be sure to delete it once completed.

    If this fails, please contact your host and request that they ensure that all files are owned by you. As mentioned in the previous post, under Apache, pre phpsuexec, the owner of files and folders was 'nobody'. Under phpsuexec, it MUST be owned by the account for scripts to function.
    Last edited by KyleC; 04-03-2004, 02:43 AM.
    -Kyle

Working...