Results 1 to 11 of 11
-
05-05-2004, 06:11 PM #1Junior Guru Wannabe
- Join Date
- May 2003
- Location
- Dallas, Texas
- Posts
- 36
PHP running as CGI vs Apache Module
I am on a shared host that has php installed as a cgi module and I want my host to recompile it as an apache module so I can get the use of my vbulletin archive!!
I cannot prove to him that it is okay to switch it!! I need a link or some pros and cons
Can someone please help me out!!
Mikefounder
Sportsrant.com
-
05-05-2004, 06:23 PM #2Web Hosting Master
- Join Date
- Jan 2002
- Location
- Home, chair
- Posts
- 723
They probably care much about security, which is easier to implement with PHP running as CGI. You'd have to find real good reasons for them to switch to apache module.
-
05-05-2004, 06:26 PM #3Junior Guru Wannabe
- Join Date
- May 2003
- Location
- Dallas, Texas
- Posts
- 36
so you are saying that it is a security risk to run php as an apahce module?
founder
Sportsrant.com
-
05-05-2004, 06:29 PM #4Web Hosting Master
- Join Date
- Jan 2002
- Location
- Home, chair
- Posts
- 723
Well, when you have PHP running as CGI, with phpsuexec, you can better control what's allowed and what's not, and see who is doing what. With PHP running as apache, it's all the same process owner - nobody. You can't easily tell which user that is looking at the process tree. So, yeah, PHP running as CGI is more secure generally.
-
05-05-2004, 06:32 PM #5Junior Guru Wannabe
- Join Date
- May 2003
- Location
- Dallas, Texas
- Posts
- 36
is there any documentation on this!! I was unable to find this at php.net
founder
Sportsrant.com
-
05-05-2004, 06:40 PM #6Web Hosting Master
- Join Date
- Jan 2002
- Location
- Home, chair
- Posts
- 723
-
05-05-2004, 06:50 PM #7Junior Guru Wannabe
- Join Date
- May 2003
- Location
- Dallas, Texas
- Posts
- 36
i read both of those articles and they do not say anything that makes cgi better for security. They are both general so they prove nothing for your statments that you made
founder
Sportsrant.com
-
05-05-2004, 07:00 PM #8Web Hosting Master
- Join Date
- Jan 2002
- Location
- Home, chair
- Posts
- 723
They provide information based on which you can see why running PHP as CGI is more secure than running it as an apache module.
-
05-05-2004, 07:08 PM #9Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I have to agree with PHP Developer here. It is indeed more secure then running as a module.
some quotes:
about cgi:
Accessing system files: http://my.host/cgi-bin/php?/etc/passwd
The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line.
When invoked as a CGI binary, PHP refuses to interpret the command line arguments.
When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-06-2004, 02:44 AM #10Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 78
Not much people know about phpsuexec topic besides running it.. asked at 3 forums and no answer. Is there no way to stop users setting whatever settings they want in php config??
http://www.webhostingtalk.com/showth...hreadid=267861Last edited by BeerHandle; 05-06-2004 at 02:45 AM.
-
05-06-2004, 09:07 AM #11Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
unless that database has built-in access control
Unless you are a total BLOCKHEAD this isnt a problem..."The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"