1
bluenova
PHPsuexec to be implemented on Surpass servers

An interesting read:

Security Precautions & Abuse Prevention:
Implementation of PHPsuexec

As you know, we like to introduce new concepts as simply as possible. The goal is always a concise explanation without room for confusion. However, explaining phpsuexec is going to have to be a long one I'm afraid.

What is happening exactly?
We are phasing all older servers to use phpsuexec. New servers will have it from the start (started with SH88 and Pass48 +). We will apply this change to older servers but only a few servers at a time.

Explain what PHPsuexec is:
On most Apache servers, PHP runs as an Apache module. This is the default way. This is why phishing scams (eBay/PayPal scams, online banking scams) are so rampant. Scammers scour the web for holes and it is extremely easy for them if the server they find has this type of setup. Most hosts have this setup because they do not realize *it doesn't have to be this way* and there is a better way. We have to help put a stop to this abuse and secure our servers.

This will improve your service. How? All scripts will be executed with the account username instead of "nobody". Why is this important to us:

If we find that some account is running malicious scripts and causing the server to crash, we can find the details quickly. No more tedious and time consuming searches through logs and comparing paths. If there is spam being sent out of the server, we can find the exact path and stop it quickly to avoid mail problems/errors on the server. We also want to be a respected role model for other hosts and most importantly, a host that you can be proud of. We feel that now is the time to introduce this new policy although the idea has been bounced around our abuse teams for over a year now. If you have never heard of phpsuexec before (and there's certainly a good chance that you haven't), we hope that you can welcome this and even make it a personal requirement for your hosting.

We hope that this introduction to phpsuexec has been clear.

Now, let's get into the ...
PHPsuexec Details

1. 777 Permissions
Old setup: When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody". Under this mode, files or directories that you require your php scripts to write to need 777 permissions (read/write/execute at user/group/world level). This is not very secure because besides allowing the webserver to write to the file it also allows anyone else to read or write to the file. It makes you ask yourself why has this been the default way all along?

New setup- PHPsuexec: PHP running as CGI with suexec enabled - Your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else).

2. Goodbye .htaccess and Hello .ini
Under the old Apache Module mode you were able to manipulate the PHP settings from within a .htaccess file placed in the script's directory.

For example you could turn off the php setting "magic_quotes_gpc" with this line in .htaccess:

php_value magic_quotes_gpc on

With PHP running as CGI/phpsuexec, manipulating the PHP settings is still possible however it can not be done with .htaccess. Using .htaccess with php_value entries within it will cause a 500 internal server error when attempting to access the scripts. This is because php is no longer running as an apache module and apache will not handle those directives any longer.

All php values should be removed from your .htaccess files to avoid the 500 internal server error. Creating a php.ini file to manipulate the php settings will solve this issue.

3. About php.ini
What is a php.ini file and how do I go about making one?
The php.ini file is a configuration file that the server looks at to see what options have been turned on, off or set to a number different from the defaults that we have set for the server. While the name may seem advanced to those unfamiliar with it, it's simply a text file with the name php.ini

To create a php.ini file, just open up a text editor, add in the lines you need and save the file. You can name the file whatever you wish when saving. Once done, upload the file to the directory where your script is located and then rename it to php.ini

For example you can turn off the php setting "magic_quotes_gpc" with this line in php.ini:

magic_quotes_gpc = no

4. Troubleshooting
HELP! My php script doesn't work or I have an error message.

1. Check that the php script that you are attempting to execute has permissions of no more than 755 - 644 will work just fine normally, this is not something that will need to be changed in most cases.

2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to also.

3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script.
The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.

Original link

2
Dave_L
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/3/2 14:26

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


The problem with this is that it's sort of a step backwards.

One of the main benefits of PHP is that it intergrates so well with Apache. Running PHP as an Apache module is more efficient than running it as CGI.

I've wondered why Apache doesn't have some way of internally switching to a different user when running certain modules. That would give you the security benefits without the loss of efficiency.

But some people say that running web scripts as "nobody" is more secure than running them as an actual system user, since "nobody" has fewer privileges. But then you need wider file permissions, so it's a tradeoff.

3
surpass
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/3/8 7:35

  • surpass

  • Just popping in

  • Posts: 29

  • Since: 2004/5/18


For us (especially from an abuse standpoint), it's a step forward and we wish other hosts would do the same.

4
carnuke
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 11:38

  • carnuke

  • Home away from home

  • Posts: 1955

  • Since: 2003/11/5


Since servers have been modified with phpsuexec, I have encountered modules not working such as LIASE, and CONTACT 1.6 On re-installation there is an error as folows

Module Contact installed successfully.

Unable to write to main menu.

Back to Module Administration page


This is definitely linked to the changes. What remedies to correct this please? The faults are

1- forms are not displayed correctly (liase)
2- No module admin (contact 1.6 )

xoops 2.0.13.2

TIA
http://houseofstrauss.co.uk Resource for alternative health and holistic lifestyle
search xoops

5
Herko
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 12:27

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Quote:
Unable to write to main menu.

This means the system itself cannot write to the cache/adminmenu.php file. Remove the adminmenu.php file (or better yet, rename it so you have a backup), and login to the admin section. You'll get the 'first time admin login' screen (but that's where it writes the admin menu).

Herko

6
carnuke
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 13:27

  • carnuke

  • Home away from home

  • Posts: 1955

  • Since: 2003/11/5


Thanks for that info removing adminmenu.php brought the admin menu back to contact 1.6, but LIASE and FORMULAIRE ar both still faulty. Deleteing cache files and updating modules has not worked either. NOTE: I have changed changed R/W permissions on all world writable folders and proved that the server can still write to them. (cache is being populated)
http://houseofstrauss.co.uk Resource for alternative health and holistic lifestyle
search xoops

7
Herko
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 14:19

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


no debug info on those modules? Maybe it is a mail setting that needs to be adjusted too somewhere? I don't know those modules well enough to venture an educated guess...

Herko

8
carnuke
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 16:29

  • carnuke

  • Home away from home

  • Posts: 1955

  • Since: 2003/11/5


No debugger specific to this. Thing is since the mod. there are thousands of text sanitiser notices that were not there before. I doubt it's a mail setting. It's the forms that are not displaying correctly. On one site there is a single field that displays and its sending data correctly.

Ive posted on surmunity, but no response yet.

Thanks for the feedback Herko.
http://houseofstrauss.co.uk Resource for alternative health and holistic lifestyle
search xoops

9
martyboy
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 17:02

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


I also host with surpass, jsut moved to a VPS from shared with them, I had noticed that the liase form did not dispaly correctly either on my site it was an old version though as soon as I upgraded to a new version it worked fine, and I've not noticed any other major problems, especially with modules that need write access to directories.

I had noticed in WHM there is a function to disable PHPsuexec but I dont have a clue about these things so I just left it well alone.
Michael Jackson = King Of Pop

Xoops = King Of CMS

10
Herko
Re: PHPsuexec to be implemented on Surpass servers
  • 2006/4/3 18:56

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


ah. The notices come with PHP 4.4 or 5.x, so that may be the cause of the problems with the Liaise module.

I host at Surpass too, and am considering a VPS as well, it's good to know these things in advance

Herko

Login

Who's Online

76 user(s) are online (39 user(s) are browsing Support Forums)


Members: 0


Guests: 76


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits