Phpsuexec is a deprecated feature in cPanel where php is setup as cgi instead of apache module. All shared hosting servers have been updated from phpsuexec to suPHP. This applies to such clients that are still using phpsuexec on their VPSs/Dedicated servers. Phpsuexec brings a new level of security to the way php is used.
php_flag register_globals off
will go into php.ini as:
If php.ini exists in the folder where the php scripts exists, it will take all values from it (and nothing will be taken from main php.ini
Similarly if you are using ForceType in .htaccess to force a file to be treated as php, you will need to change it to SetHandler.
suPHP is a tool for executing PHP scripts with the permissions of their owners. Currently our servers use phpsuexec which also executes PHP with the permission of their owners. However these are two different tools and there are some improvements with moving to suPHP.
Once suPHP is available on your server, you can login to your control panel and find a link ‘PHP Configuration’ under ‘Software/Services’. On that page:
where username is your cpanel account username, and php5-config is just a folder name (you can name it anything) and it will pick php.ini from that folder. Yes, you can have php.ini outside of your webroot in suPHP. This is a new feature
AddHandler application/x-httpd-php5 .php .php3 .phtml
or a variant of it. Now this must be proceeded by the marker comment to block cpanel from changing your settings:
# Use PHP5 as default
When using the common PHP installation on a webserver, php runs as the user nobody and it doesn’t require the execute flag to be enabled.
The problem on this is that if mod_openbasedir is not installed, every user will be able to read your php files because everyone is virtually sharing the same username (nobody).
As most of you already know, PHP Files are not meant to be read, but parsed, and that is where the problem resides. PHP Files have to be parsed, otherwise everyone who is able to read your php file will see settings that you would probably want to keep private, such as your MySQL username and password.
PHPSUEXEC fixes all this because it requires php to be run as the file owner’s username. (for example: andre)
This is not everything it fixes though. PHPSUEXEC is also here to fix file ownership problems.
This has been a common issue on a few Content Management Systems such as Joomla and also on the popular blog software WordPress.
It also adds security to your files as you can use permissions such as 600 or 700 in your files and your visitors will still be able to view them (parsed) in their browsers.
PHPSUEXEC will also refuse to serve any pages that are at security risk, for example with 777 as permissions. (will generate an Internal Server Error)
When PHP runs as an Apache module, PHP files work under the Apache user/group known as “nobody”. For example, when a PHP file needs to write to another file or create/remove a file, it does so under the name “nobody”. In order to allow “nobody” to do this, you need to set specific permissions on the file/directory, such as 777 – which translates to read/write/execute by user/group/world. This is insecure because you have not only allowed the webserver (Apache) to read/write to the file, you have also allowed everyone else on the server to read/write to the file as well!
Due to the above conditions, when a PHP file creates or uploads a new file under your account, the new file will be owned by the user “nobody”. If you FTP into your account, all files owned by “nobody” will not be available for you to move, rename or delete. In this case the only way to remove the “nobody” owned files would be through a file on the server or to contact support and ask for the file ownership to be changed back to your username.
When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function, now they will require strict permissions. Setting your directories or PHP files to 777 will cause them to produce a 500 Internal Server Error, this happens to protect your PHP files from being abused by outside sources.
Under PHPSuexec your directories and PHP files can have permissions no greater than 755 (read/write/execute by your username, read/execute by group/world). Since you own your files, your scripts can function in any directory your user has created and can’t be manipulated by any outside users, including “nobody”.
Now, when a PHP file creates or uploads a new file under your account, the new file will be owned by your username. You will no longer have to worry about the webserver taking over your files and even more important, you will no longer have to worry about a stranger reading or writing to your files either!
By default PHP on WHM/Cpanel is loaded as DSO (Dynamic Shared Object) module and is run by the user “nobody” by default. Though this method of loading the PHP module is normally the fastest way to serve PHP request, running it as using user “nobody” will be a real pain in the ass if you are serving multiple sites run by multiple users, you will be for sure run into file permission problems.
This is where the SuExec comes in play, every executed PHP scripts will be executed by the user who owns the VirtualHost that is server the request, this method has a lot of drawbacks too on both speed and security.
Anyway, if you still want to enable it then read on below.
To verify that SuExec is working as intended, try to upload a file or create a folder using an upload file script on PHP.
Everytime an internal server error occurs, it will be added to your Error Log in cPanel. (cPanel »» Error Log). This will usually give you a clue on where the error resides. In most cases it will be either a permission error on a bad command in your .htaccess file (remember that all php values have to go to your php.ini file).
Directories that need to be written onto will no longer require 777 as permissions and phpsuexec will refuse to write or read on directories exposed with such permissions. You will have to chmod them to 755 always.
To simplify it, just remember that you should never have a file or folder with world-writeable permissions, because you no longer have to.
If you added a Mimetype to the system in order to run html files as php scripts (AddType as .htaccess command), you will have to remove it and add an ApacheHandler instead. This is easy to do though. Just log into your control panel, then click on Apache Handlers and add the following:
Tags: dso (mod_php), fastcgi, php handlers explained, suphp
Extension: html (or htm) : AddHandler application/x-httpd-php
Comments are closed.