A Brief Overview on File Permissions
0400 read by user
0200 write by user
0100 execute by user
0040 read by group
0020 write by group
0010 execute by group
0004 read by world
0002 write by world
0001 execute by world
By adding the permissions together, you will come up with the number that corresponds to the permission. For example, 400+200+100+40+20+10+4+2+1=777 - read/write/execute by user/group/world.
Thanks,
Bijou Monci
Friday, September 5, 2008
About PHPSuexec
This post describes about the differences between running PHP as an Apache module and running PHP as a CGI with Suexec. It will also touch on some common problems experienced when running PHP as a CGI with Suexec.
What is PHPSuexec?
Bijou Monci
What is PHPSuexec?
PHPSuexec is the shortened term often used to describe running PHP as a CGI with Suexec. Running PHP as a CGI with Suexec creates a much more secure environment compared to running PHP as an Apache module.PHP as an Apache Module
Below we will describe the differences in the two forms of PHP, with examples on how security differs with the two.
When PHP runs as an Apache module, PHP files work under the Apache user/group known as "nobody".PHP as a CGI with Suexec
For example, when a PHP file needs to write to another file or create/remove a file, it does so under the name "nobody".
In order to allow "nobody" to do this, you need to set specific permissions on the file/directory, such as 777 - which translates to read/write/execute by user/group/world. This is insecure because you have not only allowed the webserver (Apache) to read/write to the file, you have also allowed everyone else on the server to read/write to the file as well!
Due to the above conditions, when a PHP file creates or uploads a new file under your account, the new file will be owned by the user "nobody". If you FTP into your account, all files owned by "nobody" will not be available for you to move, rename or delete.
In this case the only way to remove the "nobody" owned files would be through a file on the server or to contact support and ask for the file ownership to be changed back to your username.
When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function, now they will require strict permissions..htaccess
Setting your directories or PHP files to 777 will cause them to produce a 500 Internal Server Error, this happens to protect your PHP files from being abused by outside sources.
Under PHPSuexec your directories and PHP files can have permissions no greater than 755 (read/write/execute by your username, read/execute by group/world). Since you own your files, your scripts can function in any directory your user has created and can't be manipulated by any outside users, including "nobody".
Now, when a PHP file creates or uploads a new file under your account, the new file will be owned by your username. You will no longer have to worry about the webserver taking over your files and even more important, you will no longer have to worry about a stranger reading or writing to your files either!
When PHP runs as an Apache module you are able to manipulate PHP using .htaccess - since .htaccess is an Apache feature. When PHP runs as a CGI, you can no longer do this because Apache no longer understand the PHP flags and values.Common Problems experienced with PHPSuexec If your PHP scripts are reporting 500 Internal Server errors, please check the following:
Instead, when PHP runs as a CGI, you will need to create your own PHP initialization file, this file is called php.ini -- php.ini works almost the same as .htaccess -- it is simply a text file with directives that will be used instead of the servers default directives.
To give you a better understanding about how both work in regards to PHP, we have listed a .htaccess file and a php.ini file below..htaccessThere is one main difference to the use of .htaccess vs php.ini -- a .htaccess file can be placed at the root directory and effect subdirectories with just 1 file, php.ini does not work this way.
php_value magic_quotes_gpc on
php.ini
magic_quotes_gpc = on
A php.ini file needs to be placed in every directory and subdirectory that requires the altered directives. This is a downfall for using PHPSuexec, however we hope that in the future PHP can be written to handle the php.ini file in a more workable fashion.
Last but not least, there is a directive used in .htaccess that needs to be altered in order to work under PHPSuexec. The directive ForceType needs to be changed to SetHandler. For example:PHP as an Apache Module .htaccess StyleIt is important to understand that you can still use .htaccess for a variety of Apache functions, such as mod_rewrite directives, password protection directives, etc. The only difference is that it can no longer process PHP directives.
ForceType application/x-httpd-php
PHP as a CGI with Suexec .htaccess Style
SetHandler application/x-httpd-php
Make sure the directory permissions are not greater than 755Thanks,
Make sure the PHP file permissions are not greater than 755 - 644 is the default permissions for files uploaded by FTP and will work fine for most PHP files.
Make sure you do not have any .htaccess files which contain PHP flags/values or ForceType directives. These directives need to be handled differently, as explained above.
Bijou Monci
Subscribe to:
Posts (Atom)
