PHPsuexec Information
All servers will be recompiled with phpsuexec. PHPsuexec runs all php scripts as your username, instead of nobody so it is much easier to track who is running which scripts. This will also fix any permission and ownership errors you may have seen when uploading/modifying files through a web page.
PHPsuxec FAQ
#1. What is the difference between before and now?
Most sites will not be affected with the change. Phpsuexec works in the same way that cgi (perl scripts etc) with suexec does. All scripts and applications are run under your account user name, rather than the user "nobody".
This simply means that rules that apply to .cgi and .pl files on your current server, apply to php files also - The maximum permissions permitted on directories and .php files is 755. Failing to have have permissions set to a maximum of 755 on php files and their installation paths, will result in a 500 internal server error when attempting to view them.
#2. Do I need to chmod my directories to 777?
No, you do not need to have directories or files set to 777, even if your installation documents tell you that you do. Permissions of 755 will work in the same way. Scripts owned by your account username will be able to write to your files, the same way that they can while running with 777 permissions.
If you have php applications/scripts that have directories set to 777, (required to write to them under php/apache module), they would need to be changed - Also you would need to change ownerships of all files owned by user "nobody" to the username for your account. This cannot be done yourself, and you will need to submit a ticket to Support if you find any files in your account under the username "nobody".
#3. What about .htaccess files?
You cannot manipulate the php.ini settings with .htaccess when running php as cgi/phpsuexec.
If you are using .htaccess with php_value entries within it, you will receive an internal server 500 error when attempting to access the scripts. This is because php is no longer running as an apache module and apache will not handle those directives any longer.
All php values should be removed from your .htaccess files to avoid any complications. Adding a php.ini file in its place will solve this issue.
#4. What is a php.ini file and how do I go about making one?
The php.ini file is a configuration file that the server looks at to see what options have been modified from the default server configuration. While the name may seem advanced to those unfamiliar with it, it's simply a text file with the name php.ini
To create a php.ini file, just open up a text editor, add in the lines you need and save the file. You can name the file whatever you wish when saving. Once done, upload the file to the directory where the script you're using is being accessed from and then rename it to php.ini
#5. Troubleshooting
My php script doesn't work or I have an error message:
1. Check that the php script that you are attempting to execute has permissions of no more than 755. Permissions of 644 will work just fine normally. This is not something that will need to be changed in most cases.
2. Check that the directory permissions that the script resides in are set to a maximum of 755. This also includes directories that the script would need to have access to.
3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script.The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.
Some users have reported problems accessing the admin section of their script installed. This is because, thanks to PHPsuexec, your admin username/password cannot be written to a .htaccess file.
The solution.
Do NOT create any Password Protection!
This will allow you to make all the necessary adjustments and settings changes you need to, however you must find an alternative way to protect your admin directory!
In cpanel this is easy, just click on the 'Password Protect Directories' link and follow the simple instructions. If you do not have cpanel look over the web for password scripts, there are dozens of them.
DO NOT LEAVE YOUR ADMIN DIRECTORY WITHOUT PASSWORD PROTECTION IN PLACE.
www.thelinuxsupport.com
Forum for the Linux Technical Support Professionals
PHPsuexec Information
2 posts • Page 1 of 1
PHPsuexec Information
by balz on Tue May 20, 2008 4:13 pm
It is better to be approximately right than precisely wrong
-
balz - Site Admin
- Posts: 258
- Joined: Mon Feb 04, 2008 12:19 am
Re: PHPsuexec Information
by shivashankar on Tue Feb 24, 2009 10:25 pm
Differences between phpsuexec and "regular php":
When using the common PHP installation on a webserver, php runs as the
user nobody and it doesn't require the execute flag to be enabled.
The problem on this is that if mod_openbasedir is not installed, every
user will be able to read your php files because everyone is virtually
sharing the same username (nobody).
As most of you already know, PHP Files are not meant to be read, but
parsed, and that is where the problem resides. PHP Files have to be
parsed, otherwise everyone who is able to read your php file will see
settings that you would probably want to keep private, such as your MySQL
username and password.
PHPSUEXEC fixes all this because it requires php to be run as the file
owner's username. (for example: andre)
This is not everything it fixes though. PHPSUEXEC is also here to fix file
ownership problems. This has been a common issue on a few Content
Management Systems such as Joomla and also on the popular blog software:
WordPress.
It also adds security to your files as you can use permissions such as 600
or 700 in your files and your visitors will still be able to view them
(parsed) in their browsers.
PHPSUEXEC will also refuse to serve any pages that are at security risk,
for example with 777 as permissions. (will generate an Internal Server
Error)
Troubleshooting Internal Server Errors (Error 500):
Everytime an internal server error occurs, it will be added to your Error
Log in cPanel. (cPanel »» Error Log). This will usually give you a clue
on where the error resides. In most cases it will be either a permission
error on a bad command in your .htaccess file (remember that all php
values have to go to your php.ini file).
Directories that need to be written onto will no longer require 777 as
permissions and phpsuexec will refuse to write or read on directories
exposed with such permissions. You will have to chmod them to 755 always.
To simplify it, just remember that you should never have a file or folder
with world-writeable permissions, because you no longer have to.
MIMETypes:
If you added a Mimetype to the system in order to run html files as php
scripts (AddType as .htaccess command), you will have to remove it and add
an ApacheHandler instead. This is easy to do though. Just log into your
control panel, then click on Apache Handlers and add the following:
Extension: html (or htm)
Handler: application/x-httpd-php
QuickStart for impatient users :
Technically, PHPSUEXEC will make sure your scripts and directories abide
by the following security rules:
* User executing the wrapper must be a valid user on the server.
* The command that the request wishes to execute must not contain a /.
* The command being executed must reside under the user's web document
root (public_html).
* The current working directory must be a directory.
* The current working directory must not be writeable by group or other.
* The command being executed cannot be a symbolic link.
* The command being executed cannot be writeable by group or other.
* The command being executed cannot be a setuid or setgid program.
* The target UID and GID must be a valid user and group on the system.
* The target UID and GID to execute as, must match the UID and GID of the
directory.
* The target execution UID and GID must not be the privileged ID 0.
* Group access list is set to NOGROUP and the command is executed.
Protecting your php.ini file:
To protect your php.ini you should set its permissions to 600.
Additionally you can add the following line to your .htaccess file:
Code:
Order deny,allow
Deny from All
When using the common PHP installation on a webserver, php runs as the
user nobody and it doesn't require the execute flag to be enabled.
The problem on this is that if mod_openbasedir is not installed, every
user will be able to read your php files because everyone is virtually
sharing the same username (nobody).
As most of you already know, PHP Files are not meant to be read, but
parsed, and that is where the problem resides. PHP Files have to be
parsed, otherwise everyone who is able to read your php file will see
settings that you would probably want to keep private, such as your MySQL
username and password.
PHPSUEXEC fixes all this because it requires php to be run as the file
owner's username. (for example: andre)
This is not everything it fixes though. PHPSUEXEC is also here to fix file
ownership problems. This has been a common issue on a few Content
Management Systems such as Joomla and also on the popular blog software:
WordPress.
It also adds security to your files as you can use permissions such as 600
or 700 in your files and your visitors will still be able to view them
(parsed) in their browsers.
PHPSUEXEC will also refuse to serve any pages that are at security risk,
for example with 777 as permissions. (will generate an Internal Server
Error)
Troubleshooting Internal Server Errors (Error 500):
Everytime an internal server error occurs, it will be added to your Error
Log in cPanel. (cPanel »» Error Log). This will usually give you a clue
on where the error resides. In most cases it will be either a permission
error on a bad command in your .htaccess file (remember that all php
values have to go to your php.ini file).
Directories that need to be written onto will no longer require 777 as
permissions and phpsuexec will refuse to write or read on directories
exposed with such permissions. You will have to chmod them to 755 always.
To simplify it, just remember that you should never have a file or folder
with world-writeable permissions, because you no longer have to.
MIMETypes:
If you added a Mimetype to the system in order to run html files as php
scripts (AddType as .htaccess command), you will have to remove it and add
an ApacheHandler instead. This is easy to do though. Just log into your
control panel, then click on Apache Handlers and add the following:
Extension: html (or htm)
Handler: application/x-httpd-php
QuickStart for impatient users :
Technically, PHPSUEXEC will make sure your scripts and directories abide
by the following security rules:
* User executing the wrapper must be a valid user on the server.
* The command that the request wishes to execute must not contain a /.
* The command being executed must reside under the user's web document
root (public_html).
* The current working directory must be a directory.
* The current working directory must not be writeable by group or other.
* The command being executed cannot be a symbolic link.
* The command being executed cannot be writeable by group or other.
* The command being executed cannot be a setuid or setgid program.
* The target UID and GID must be a valid user and group on the system.
* The target UID and GID to execute as, must match the UID and GID of the
directory.
* The target execution UID and GID must not be the privileged ID 0.
* Group access list is set to NOGROUP and the command is executed.
Protecting your php.ini file:
To protect your php.ini you should set its permissions to 600.
Additionally you can add the following line to your .htaccess file:
Code:
Order deny,allow
Deny from All
- shivashankar
- Posts: 6
- Joined: Mon Mar 03, 2008 4:23 pm
2 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest