Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : PHP running as CGI vs Apache Module

[msimonds]

I am on a shared host that has php installed as a cgi module and I want my host to recompile it as an apache module so I can get the use of my vbulletin archive!!

I cannot prove to him that it is okay to switch it!! I need a link or some pros and cons

Can someone please help me out!!

Mike

[phpdeveloper]

They probably care much about security, which is easier to implement with PHP running as CGI. You'd have to find real good reasons for them to switch to apache module.

[msimonds]

so you are saying that it is a security risk to run php as an apahce module?

[phpdeveloper]

Well, when you have PHP running as CGI, with phpsuexec, you can better control what's allowed and what's not, and see who is doing what. With PHP running as apache, it's all the same process owner - nobody. You can't easily tell which user that is looking at the process tree. So, yeah, PHP running as CGI is more secure generally.

[msimonds]

is there any documentation on this!! I was unable to find this at php.net

[phpdeveloper]

You can take a look here:
http://php.net/manual/en/security.index.php
http://php.net/install.commandline

[msimonds]

i read both of those articles and they do not say anything that makes cgi better for security. They are both general so they prove nothing for your statments that you made

[phpdeveloper]

They provide information based on which you can see why running PHP as CGI is more secure than running it as an apache module.

[Steven]

I have to agree with PHP Developer here. It is indeed more secure then running as a module.

some quotes:


about cgi:

Quote:

Accessing system files: http://my.host/cgi-bin/php?/etc/passwd

The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line.

When invoked as a CGI binary, PHP refuses to interpret the command line arguments.

about module:

Quote:

When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

[BeerHandle]

Not much people know about phpsuexec topic besides running it.. asked at 3 forums and no answer. Is there no way to stop users setting whatever settings they want in php config??

http://www.webhostingtalk.com/showth...hreadid=267861

[innova]

Quote:

unless that database has built-in access control

*sigh*

Unless you are a total BLOCKHEAD this isnt a problem...