What are the pros & cons of running phpsuexec on a cpanel box?

Yes I've run a search on the boards here but did not come up with anything substanchial (sp).

No opinions ?

You can chmod password.inc files to 700 which stops people from reading them.

Thanks Michael, Where do I get it & how to install on cpanel?

Recompile apache with phpsuexec support

run /scripts/easyapache
and choose expert
if your running a hosting business you'll want to add the "~anti leech module" as well
Then enter the "php modules" list and add in any modules you want. Recommend at least "curl" and "SSL curl".

The thing runs for a couple of minutes, screen printing madly, when finished restart apache.

You may find the bandwidth leech feature upsets those who have just signed up and want to preview their site.

preview still works

From what I hear, there are scripts that will not function under phpsuexecs conditions, might want to be carefull of that.

Your right, one I wrote long ago won't function. Now to find out why. Anyone have any pointers of what to steer clear of?

"~anti leech module"

where is that?

Phpsuexec breaks a centralized SquirrelMail install.

Hum, That's not a good thing.

phpsuexec runs as cgi therefore anything that depends on php running as a module won't function. Same with Ensim pro - high security (this is the future - learn to love it).

phpsuexec doesn't break Ensim Pro's SquirrelMail.

I think we need a better SquirrelMail solution for cPanel.

Check out my howto

.pd

Check out my howto :confused: - I do not comprende - erh hehe - it is in Spanish

John

OK... so these are the negatives. What are the POSITIVES or running it?

Upsides:
If anyone attempts to hack your server via a PHP script.. you'll most likely be able to determine their user id.

For E-Mail sent through forms... you will be able to see the user's id in the mail message as the sender, making it easier to track spam.

The ease of tracking is well worth it, in my opinion. We upgraded nine machines to use phpSuExec (all production machines which were full). The only moment we even thought about switching back was when we received a huge amount of support tickets regarding PHP scripts, but once that is over, it's smooth sailing and well worth the upgrade.

PhpSuexec coupled with a no-exec /tmp is a great security measure. We haven't had anyone get near hacking our servers with these two updates combined.

Downsides:
Just about any script could be re-coded to be usable with phpSuExec, but not many people are willing to do it. Fortunately, my users didn't mind it too much once they got everything configured.

.htaccess php modifications no longer work, they must be done with a file named 'php.ini' in all directories of an account to change any settings. But, it can be done, which is the nice part.

If you've been running PHP as an apache module up to this point on a production machine.. your customers will not be happy when they come home to see their webpages screwed up due to the new permission settings that must be changed.

It's a bit tough to install taking into consideration easyapache (easy), chmod all users directories to their own user (i made scripts for it... didn't take too long, but it wasn't fun), and then wait for the support requests to roll in.

Regards,
Matt

cool.. that was quite a nice info from mau1986!

from what i got:
1) do the /scripts/easyapache thing
2) chmod -R userX /home/userX (am i getting right?)
3) for all .htaccess modifications, put it into seperate php.ini and put it in /home/userX/public_html/ or whereever the .htaccess was present. (correct?)
4) php scripts have to chmod to +x (executable) ?
5) freddo mentioned.. password.inc chmod to 700, where are these password.inc ?

Thanks

There is no longer any need to chmod php files - they work fine as they are/uploaded.

You can set any file with passwords in it to 700 - password.inc was just an example. You don't have to BTW.

Don't do that, just on their public_html directory.

Cpanel actually provides a script now to automatically do this if you would prefer.

/scripts/chownpublichtmls

Regards,
Matt

Thanks for the great insight!!.. looks like i'm preparing to join the phpsuexec users team!

before that... any examples of the common scripts which would not work?

phpNuke?
phpBB?
InvisionBoard?
php based helpdesk?
formmail.php scripts?
any of the 3rd party programs in CPanel will break?

Thanks again...

Thats assuming it doesnt get reformatted first

Thats assuming it doesnt get reformatted first

lol - thanks for the very needed input

John

I haven't found any that don't work.

ok and what about the scripts already present? i mean in the production server clients have some custom php programs.. ?

Thanks for your response

Their shouldn't be any problems except with scripts that use http_authentication - it's not supported because php is not running as a http module. http_authentication is that little pop-up window that asks for password/username (like what cpanel and whm uses). Most scripts these days ask for username/password from a webpage rather than using http_authentication.

It won't mess up cpanel/whm http_authentication because that whole thing is run off another copy of apache running php as a module.

In the quest for additional security I installed apache with phpsuexec set. After apache restarted I found sites that referenced
producing..."fatal error call to undefined function virtual"

Ultimately I had to thunk back down to removing php suexec.

How can this be resolved?

Anyone?

As a wild guess, I read elsewhere that when php is running like CGI you place #!/usr/bin/php like you do for perl scripts

Some PHP compilers do not like this and cannot deal with it.

Anyone else find that once php suexec is enabled many apps that pass login information via a dialog box no longer work?

If so what was your resolution?

Yeah, it would break it if the script writes to /tmp, I think. Anyway, they start working again if you disable it.. I had just posted a thread about this on cpanel forums.. i'm glad I was subscribed to this thread. I think you figured it out - I had no clue why the logins weren't working any more!

Michael

Dear netk, have you found a solution for that ?

We have same problem in an enviroment with phpsuexec recently configured.



We have tried this:


but I'm still getting:



(I get the same error message without the #!/usr/bin/php.)

Thanks in advance for some tips
have a nice day!

Don't use virtual. Use
php include

The trouble is, include() does not pass variables from a form onto the CGI script

Umm .. is valid for a served page, and for a command-line script. Don't mix them up. :-)

The function is completely deprecated, anyway. What kind of CGI is it that can't be quickly re-written in PHP? As a last resort... Maybe that'll getcha where ya wanna go.

ok, nothing work

Virtual does not function with php suexec in my experience.

Pros:

More Secure.
Identifyable Email
Runs as user not as nobody so forum avatar uploaded by users will be owned by the user not as nobody. This includes many other 3rd party scripts which permit uploads.
Disk quota will be more accurate as files will no longer be owned by nobody but rather by the user so proper quota will be calculated.


Cons:
Runs just a bit slower since it runs as CGI
Some Fantastico installation may bomb after installation
Need to modify .htaccess to not use php directives (Educate your users)
Existing script may need to be re permed on some installations. EG PhpLive for instance. I have to chmod 0755 all php scripts even after uploading them via FTP. Depends on the scripts though, most of the time your users won't need to do a thing to continue using their sites. Depends on the situation really.

Dont forget to search for all files owned by nobody in /home. Those will need to be chown user.user. We found many images like gallery uploads that were chown nobody.nobody.