Results 1 to 11 of 11
  1. #1
    Join Date
    May 2003
    Location
    Dallas, Texas
    Posts
    36

    PHP running as CGI vs Apache Module

    I am on a shared host that has php installed as a cgi module and I want my host to recompile it as an apache module so I can get the use of my vbulletin archive!!

    I cannot prove to him that it is okay to switch it!! I need a link or some pros and cons

    Can someone please help me out!!

    Mike

  2. #2
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    They probably care much about security, which is easier to implement with PHP running as CGI. You'd have to find real good reasons for them to switch to apache module.

  3. #3
    Join Date
    May 2003
    Location
    Dallas, Texas
    Posts
    36
    so you are saying that it is a security risk to run php as an apahce module?

  4. #4
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    Well, when you have PHP running as CGI, with phpsuexec, you can better control what's allowed and what's not, and see who is doing what. With PHP running as apache, it's all the same process owner - nobody. You can't easily tell which user that is looking at the process tree. So, yeah, PHP running as CGI is more secure generally.

  5. #5
    Join Date
    May 2003
    Location
    Dallas, Texas
    Posts
    36
    is there any documentation on this!! I was unable to find this at php.net

  6. #6
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723

  7. #7
    Join Date
    May 2003
    Location
    Dallas, Texas
    Posts
    36
    i read both of those articles and they do not say anything that makes cgi better for security. They are both general so they prove nothing for your statments that you made

  8. #8
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    They provide information based on which you can see why running PHP as CGI is more secure than running it as an apache module.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I have to agree with PHP Developer here. It is indeed more secure then running as a module.

    some quotes:


    about cgi:

    Accessing system files: http://my.host/cgi-bin/php?/etc/passwd

    The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line.

    When invoked as a CGI binary, PHP refuses to interpret the command line arguments.
    about module:

    When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Mar 2004
    Posts
    78
    Not much people know about phpsuexec topic besides running it.. asked at 3 forums and no answer. Is there no way to stop users setting whatever settings they want in php config??

    http://www.webhostingtalk.com/showth...hreadid=267861
    Last edited by BeerHandle; 05-06-2004 at 02:45 AM.

  11. #11
    unless that database has built-in access control
    *sigh*

    Unless you are a total BLOCKHEAD this isnt a problem...
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •