Above ^

No. We use CGI mode PHP, suexec wrapped. No need for safe mode.

Like to explain how its done please and is there a down side on your way?

having php run as cgi is much slower.

I have it enabled except on my own sites... but that's usually only because I have server monitoring scripts which require access to files outside the document root.

I wish i could not use safe mode but wouldnt know how to do any other methods. :(

Try this thread: http://www.webhostingtalk.com/showthread.php?s=&threadid=26266&perpage=20&pagenumber=1.

As for speed issues, PHP under CGI mode is surely slower than PHP running under Apache module. But the speed is still acceptable. It is a small expense for much better security and flexibility (no safe mode hassles).

It's not just a speed factor (which when you talking about larger programs the speed ratio gets VERY wide), but also higher system resource usage.

Furthermore, most scripts in PHP are intended for mod_php and therefore some simply won't function under CGI without some code modification.

However, safe mode is a royal pain in the butt as well. It causes limitations on some of the nifty features of PHP (that don't neccesarily cause problems). My suggestion: set open_basedir to the users top directory (/home/user/) and none of the file-system functions will be able to be performed outside of that directory.

Heck of a lot easier then safe mode OR running PHP under CGI.

Originally posted by comphosting
It's not just a speed factor (which when you talking about larger programs the speed ratio gets VERY wide), but also higher system resource usage.


Yes, however scripts other than PHP has been doing this for years. Otherwise, we need to use mod_perl, mod_python and mod_dtcl as well.


Furthermore, most scripts in PHP are intended for mod_php and therefore some simply won't function under CGI without some code modification.


To my experience, most PHP scripts are running just fine under CGI mode. In fact I don't know any specific script that requires it running under apache module. Most of our clients don't even notice their PHP scripts are running under CGI mode.


However, safe mode is a royal pain in the butt as well. It causes limitations on some of the nifty features of PHP (that don't neccesarily cause problems). My suggestion: set open_basedir to the users top directory (/home/user/) and none of the file-system functions will be able to be performed outside of that directory.


Not enabling safe mode will allow users to execute arbitrary programs under Apache uid/gid (using exec, passthru, etc). Which in turn it is still possible for a malicious user to read other users sensitive data. open_basedir only impose limitation on opening files, not executing them.

hmm... though I've never tried to screw around with screwing around :rolleyes: I didn't realize that open_basedir didn't limit system commands. Learn something new everyday :).

cgi mode is not slower than module mode -- IF you only enable the modules you're using. That's why we give our (chrooted, suexec'd PHP) customers their own php.ini with a web interface to enable the extensions they need. If you enable every optional extension available on the server, yes it's a dog. But enable MySQL, PCRE, and one or two more, and it's speedy.

We're using Plesk and can modify or disable some of the safe_mode restrictions & features (base_dir, etc) in vhost.conf files on a per-site basis.

As a general rule, safe-mode is enabled on every shared hosting server we run. If your shared hosting clients need more flexability, they probably need a dedicated box or upgraded hosting plan (VDS/etc)