What is phpsuexec and why should I use it??

When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody". Under this mode, files or directories that you require your php scripts to write to need to have 777 permissions (read/write/execute at user/group/world level). This is not very secure because besides allowing the webserver to write to the file it also allows anyone else to read or write to the file.

With PHP running as CGI with suexec enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method.

What is the downside to using phpsuexec?

Performance: Since php is running via a CGI interpreter which is going to add an overhead to your CPU
PHP Scripts: Some scripts do not like the phpsuexec CGI environment as it changes certain PHP internal system variables causing them to fail.
.htaccess: Manipulating php settings is not possible (use a local php.ini instead)
Security: Files / Directory permissions given a world read+write+execute 777 will not work, instead these files will need to be changed to 755
PHP Accelerator: Zend does still function however other popular Accelerators such as eAccelerator do not.
urls: Variables in URL not encoded as regular variables that is variables inside the URL path, not expressed like view.php?=view will not work.

What is the upside to using phpsuexec?

Security: it is far more secure without global world write permissions.
File Ownership: Files are owned by the user/usergroup rather than nobody/nobody

How do I enable it?

You will need to recompile Apache with PHPsuexec enabled.

"urls: Variables in URL not encoded as regular variables that is view.php?=view will not work."


Can you clarify that?
For example view.php?12345
or view.php?id.37

Both work just fine. So I'm thinking you mean something else

Me bad my typo, I forgot NOT!! I just reworded this slightly...

"urls: Variables in URL not encoded as regular variables that is variables inside the URL path, not expressed like view.php?=view will not work."

I'm using using FastCGI with php and it gives similar protection as phpsuexec but you can use eAccelerator with it.

Hey that is nice I never been a fan of phpsuexec because of it's overheads but I recently saw suPHP (http://www.suphp.org)

" suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter."

Love to hear some comments on this little gem..

I,ve used it on a freebsd vps a year ago... It was running fine!! And it's feature is great... but the downsides about cpu and slow speed is the same... ( i don't know for new version ... )

Hvu,
You are using DirectAdmin, PHP CGI, FastCGI, eAccelerator, correct?
Is that even possible with Cpanel?

Hvu,
You are using DirectAdmin, PHP CGI, FastCGI, eAccelerator, correct?
Is that even possible with Cpanel?
iirc, yes.

I dont see why it isnt possible cpanel just uses apache to add vhosts. Your php configuration shouldnt affect the control panel.

Directadmin, FastCGI, PHP, eAccelerator, Zend Optimizer

Unfortunately suPHP does not work with eAccelerator so I have canned any ideas with that product. (BTW PHPsuexec) is no longer being developed..

I am interested in fastCGI as it seems to be the way to go.. I am unclear if FastCGI can be utilised for any php script or just php scripts compiled for FastCGI??

Any php script will work. It just regular php but using the fastCGI module rather mod_php.

I know in Cpanel you can specify the PHP version to use, so I assume anything out of the ordinary means you do everything manually and avoid anything in Cpanel for fear of breaking your setup.

I'm still fuzzy on how FastCGI works.. instead fo mod_php you ahve mod_fcgi .. and this includes PHP .. somehow? or you have PHP CGI installed and somehow have mod_fcgi use it?

Sorry I'm learning. I'm not afraid to read and learn, if someone points me to something a little friendlier than a technical manual :P

You install FastCGI and compile php for fastcgi then put it in your apache config. Sorry i'll write up a how to soon.

Thanks HVU I for one are interested in this option as I want to better secure PHP again the hacking attacks I know that will come..

Might take couple days since i've been busy with work and new school year starting on wednesday out buying books and playing with my new laptop with vista ;P