PHP SuExec
Security
Precautions & Abuse Prevention:
Implementation of
PHPsuexec
As you know,
we like to introduce new concepts as simply as possible. The goal is always a
concise explanation without room for confusion. However, explaining phpsuexec
is going to have to be a long one I'm afraid.
What is happening exactly?
We are
phasing all older servers to use phpsuexec. New servers will have it from the
start. We will apply this change to older servers but only a few servers
at a time.
Explain what PHPsuexec is:
On most
Apache servers, PHP runs as an Apache module, this is the default way. This is why phishing scams
(eBay/PayPal scams, online banking scams) are so rampant. Scammers scour the
web for holes and it is extremely easy for them if the server they find has
this type of setup. Most hosts have this setup because they do not realize *it
doesn't have to be this way* and there is a better way. We have to help put a
stop to this abuse and secure our servers.
This will
improve your service. How?
All
scripts will be executed with the account username instead of "nobody".
Why is this important to us:
If we find that some account is running malicious scripts and causing the
server to crash, we can find the details quickly. No more tedious and time consuming
searches through logs and comparing paths. If there is spam being sent out of
the server, we can find the exact path and stop it quickly to avoid mail
problems/errors on the server. We also want to be a respected role model for
other hosts and most importantly, a host that you can be proud of. If
you have never heard of phpsuexec before (and there's certainly a good chance
that you haven't), we hope that you can welcome this and even make it a
personal requirement for your hosting.
We hope that this introduction to phpsuexec has been clear.
PHPsuexec Details
1.
777 Permissions
Old setup:
When PHP runs as an Apache Module it executes as the
user/group of the webserver which is usually "nobody". Under this mode, files or
directories that you require your php scripts to write to need 777 permissions
(read/write/execute at user/group/world level). This is not very secure
because besides allowing the webserver to write to the file it also allows
anyone else to read or write to the file. It makes you ask yourself why has
this been the default way all along?
New setup- PHPsuexec:
PHP running as CGI with suexec enabled - Your php scripts now
execute under your user/group level. Files or directories that you require your
php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your
scripts or the directories they reside in will not run and will instead cause a
500 internal server error when attempting to execute them to protect you from
someone abusing your scripts. Your
scripts and directories can have a maximum of 755 permissions
(read/write/execute by you, read/execute by everyone else).
2.
Goodbye .htaccess
and Hello .ini
Under the old Apache Module mode you were able to manipulate
the PHP settings from within a .htaccess file placed in the script's directory.
For example you could turn off the php setting "magic_quotes_gpc"
with this line in .htaccess:
php_value magic_quotes_gpc on
With PHP running as CGI/phpsuexec, manipulating the PHP settings is still possible
however it can not be done with .htaccess. Using .htaccess with php_value
entries within it will cause a 500 internal server error when attempting to
access the scripts. This is because php is no longer running as an apache
module and apache will not handle those directives any longer.
All php values should be removed from
your .htaccess files to avoid the 500 internal server error. Creating a php.ini
file to manipulate the php settings will solve this issue.
3.
About php.ini
What is a php.ini file and how do I go about making one?
The php.ini file is a configuration file that the server looks at to see what
options have been turned on, off or set to a number different from the defaults
that we have set for the server. While the name may seem advanced to those
unfamiliar with it, it's simply a text file with the name php.ini
To create a php.ini file, just open up a text editor, add in the lines you need
and save the file. You can name the file whatever you wish when saving. Once
done, upload the file to the directory where your script is located and then
rename it to php.ini
For example you can turn off the php setting "magic_quotes_gpc" with
this line in php.ini:
magic_quotes_gpc = no
4.
Troubleshooting
HELP! My php script doesn't work or I have an error message.
1. Check that the php script that you are attempting to execute has permissions
of no more than 755 - 644 will work just fine normally, this is not something
that will need to be changed in most cases.
2. Check that the directory permissions that the script resides within is set
to a maximum of 755. This also includes directories that the script would need
to have access to also.
3. Check that you do not have a .htaccess file with php_values within it. They
will cause a 500 Internal server error, when attempting to execute the script.
The php_values will need to be removed from your .htaccess file and a php.ini
put in its place, containing the php directives as explained above.
Last Updated 2/14/2008