hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : PHP running as CGI vs Apache Module
Reply

Forum Jump

PHP running as CGI vs Apache Module

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 05-05-2004, 06:11 PM
msimonds msimonds is offline
Junior Guru Wannabe
 
Join Date: May 2003
Location: Dallas, Texas
Posts: 36

PHP running as CGI vs Apache Module


I am on a shared host that has php installed as a cgi module and I want my host to recompile it as an apache module so I can get the use of my vbulletin archive!!

I cannot prove to him that it is okay to switch it!! I need a link or some pros and cons

Can someone please help me out!!

Mike

__________________
founder
Sportsrant.com



Sponsored Links
  #2  
Old 05-05-2004, 06:23 PM
phpdeveloper phpdeveloper is offline
Web Hosting Master
 
Join Date: Jan 2002
Location: Home, chair
Posts: 723
They probably care much about security, which is easier to implement with PHP running as CGI. You'd have to find real good reasons for them to switch to apache module.

  #3  
Old 05-05-2004, 06:26 PM
msimonds msimonds is offline
Junior Guru Wannabe
 
Join Date: May 2003
Location: Dallas, Texas
Posts: 36
so you are saying that it is a security risk to run php as an apahce module?

__________________
founder
Sportsrant.com

Sponsored Links
  #4  
Old 05-05-2004, 06:29 PM
phpdeveloper phpdeveloper is offline
Web Hosting Master
 
Join Date: Jan 2002
Location: Home, chair
Posts: 723
Well, when you have PHP running as CGI, with phpsuexec, you can better control what's allowed and what's not, and see who is doing what. With PHP running as apache, it's all the same process owner - nobody. You can't easily tell which user that is looking at the process tree. So, yeah, PHP running as CGI is more secure generally.

  #5  
Old 05-05-2004, 06:32 PM
msimonds msimonds is offline
Junior Guru Wannabe
 
Join Date: May 2003
Location: Dallas, Texas
Posts: 36
is there any documentation on this!! I was unable to find this at php.net

__________________
founder
Sportsrant.com

  #6  
Old 05-05-2004, 06:40 PM
phpdeveloper phpdeveloper is offline
Web Hosting Master
 
Join Date: Jan 2002
Location: Home, chair
Posts: 723

  #7  
Old 05-05-2004, 06:50 PM
msimonds msimonds is offline
Junior Guru Wannabe
 
Join Date: May 2003
Location: Dallas, Texas
Posts: 36
i read both of those articles and they do not say anything that makes cgi better for security. They are both general so they prove nothing for your statments that you made

__________________
founder
Sportsrant.com

  #8  
Old 05-05-2004, 07:00 PM
phpdeveloper phpdeveloper is offline
Web Hosting Master
 
Join Date: Jan 2002
Location: Home, chair
Posts: 723
They provide information based on which you can see why running PHP as CGI is more secure than running it as an apache module.

  #9  
Old 05-05-2004, 07:08 PM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,927
I have to agree with PHP Developer here. It is indeed more secure then running as a module.

some quotes:


about cgi:

Quote:
Accessing system files: http://my.host/cgi-bin/php?/etc/passwd

The query information in a URL after the question mark (?) is passed as command line arguments to the interpreter by the CGI interface. Usually interpreters open and execute the file specified as the first argument on the command line.

When invoked as a CGI binary, PHP refuses to interpret the command line arguments.
about module:

Quote:
When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #10  
Old 05-06-2004, 02:44 AM
BeerHandle BeerHandle is offline
Junior Guru Wannabe
 
Join Date: Mar 2004
Posts: 78
Not much people know about phpsuexec topic besides running it.. asked at 3 forums and no answer. Is there no way to stop users setting whatever settings they want in php config??

http://www.webhostingtalk.com/showth...hreadid=267861


Last edited by BeerHandle; 05-06-2004 at 02:45 AM.
  #11  
Old 05-06-2004, 09:07 AM
innova innova is offline
Web Hosting Master
 
Join Date: Dec 2002
Posts: 1,300
Quote:
unless that database has built-in access control
*sigh*

Unless you are a total BLOCKHEAD this isnt a problem...

__________________
"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"

Reply

Related posts from TheWhir.com
Title Type Date Posted


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?