I've never really understood what PHPsuexec and suexec are. Can someone provide an explanation for each and what pros/cons for each?

I added a tidbit to our server security page on our forums (http://forums.powervps.com/showthread.php?t=26) regarding phpsuexec.

Basically with phpsuexec, it runs each script as a seperate process (similar to how perl scripts run). It lets you see if a user is using a lot of resources with a PHP script and provides an extra level of security in that the permissions, etc are setup.

The downside... some htaccess directives do not work, especially in regards to php directives. Those directives have to be in a custom php.ini file. Since these processes run outside of Apache as well individually, it uses a bit more resources as well.

http://httpd.apache.org/docs/suexec.html -- A good read about how suexec works. :)

Hope that helps!

One more downside is that they use more resources (because php is executed as a cgi) and will be slower than normal php. If your not reselling, you don't need/want to use it.

charles

e-accelerator does NOT work with phpsuexec

e-accelerator does NOT work with phpsuexecAre you sure?... I've been able to get the two to work together fine on a out of the box cPanel and eaccelerator install.

Are you sure?... I've been able to get the two to work together fine on a out of the box cPanel and eaccelerator install.


As have I. It can be fiddly, but it's certainly possible. =)

Charles, will you please expand on the statement.

If your not reselling, you don't need/want to use it. What about reselling triggers the need for PHPsuexec? Does adding a reseller to one's cpanel account change the privileges under which PHP/Apache runs?

Does this article Server Security Issues – PHPSUEXEC (http://codylindley.com/Misc/74/server-security-issues-phpsuexec-textpattern), accurately describe this security hole?

I'd prefer not to take the performance hit, yet I want to insure that my php scripts only get parsed not read by others. Does this only become an issue when there are other users of the same VPS?

Thanks!

Charles, will you please expand on the statement.

What about reselling triggers the need for PHPsuexec? Does adding a reseller to one's cpanel account change the privileges under which PHP/Apache runs?


The need is triggered by having users/resellers that you do not necessarily trust. PHPsuexec allows you to see what users are [ab]using resources, not just "nobody". So if all of your users are trusted/friends this is not needed.


Does this article Server Security Issues – PHPSUEXEC (http://codylindley.com/Misc/74/server-security-issues-phpsuexec-textpattern), accurately describe this security hole?


Not at all! All users are jailed to their own home directory, so they cannot read other users php files.


I'd prefer not to take the performance hit, yet I want to insure that my php scripts only get parsed not read by others. Does this only become an issue when there are other users of the same VPS?

Thanks!

All users of your VPS are in a ahsred environment. It simply boils down to whether or not you trust those users. If you do not trust them, or there is a likelyhood of them abusing resources then you would benefit from PHPsuexec, otherwise you will not and its no point taking the resource hit in that case.

hth
charles

Are you sure?... I've been able to get the two to work together fine on a out of the box cPanel and eaccelerator install.
nope it doesn't work.

You may have eaccelerator compiled and setup in php.ini, but with phpsuexec it actually isn't running, open up your eaccelerator() page and it will show it as disabled.

Quote:
Originally Posted by wokman
I'd prefer not to take the performance hit, yet I want to insure that my php scripts only get parsed not read by others. Does this only become an issue when there are other users of the same VPS?

Thanks!


All users of your VPS are in a ahsred environment. It simply boils down to whether or not you trust those users. If you do not trust them, or there is a likelyhood of them abusing resources then you would benefit from PHPsuexec, otherwise you will not and its no point taking the resource hit in that case.


Charles, this leads to another question that might more fully answer the previous.

If In a Shared environment (non phpsuexec). What ARE the vulnerabilities with regards to file viewing, modifying, executing and permissions?

If I have a file that is 777, in a directory that is 777. Can someone else on the VPS view, modify, exec that file? (non phpsuexec). What about WITH phpsuexec, is any of that possible?

I think this would help people make better desicions about phpsuexec.
Trusting clients isn't always wise or possible, so you need to know the risks and vulnerabilites and how to limit them.

Charles, this leads to another question that might more fully answer the previous.

If In a Shared environment (non phpsuexec). What ARE the vulnerabilities with regards to file viewing, modifying, executing and permissions?

If I have a file that is 777, in a directory that is 777. Can someone else on the VPS view, modify, exec that file? (non phpsuexec). What about WITH phpsuexec, is any of that possible?


The question is a bit loaded, as 777 permissions are just plain stupid, and there is not just php you have to worry about, but I'll explain the scenarios.

1. You somehow were foolish enough to give your use ssh access, and not jailed to their home directory - then yes they can access the files either way.

2. You user has no ssh access, or jailed ssh access, and only panel/ftp access which jails them (standard) then no they cannot with PHPsuexec enabled. If you are not using phpsuexec, and a malicious user knows the paths to these files, they could indeed modify and access files with these permissions. In fact any file or directory owned by the apache user (nobody for example) or in the apache group (again nobody for example) is at a minimum readable by other php scripts on that server. For example:

<?php
$dir='/home/c******/public_html';
if ($handle = opendir($dir)) {
echo "<pre>Files:\n";

while (false !== ($file = readdir($handle))) {
echo "$file\n";
if ( $file == "test.php" )
{
print_r(file("$dir/$file"));
}
}
echo "</pre>";
closedir($handle);
}
?>

So don't use the same password for databases etc in your scripts, as you use for your accounts, etc.


I think this would help people make better decisions about phpsuexec.
Trusting clients isn't always wise or possible, so you need to know the risks and vulnerabilites and how to limit them.

You said the word "client". Say no more, and enable PHPsuexec. :)

charles