Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : PHP suEXEC vs. suEXEC in WHM

[jailbird2]

Hi!

I WHM Apache update, there is option to update or install PHP suEXEC Support and suEXEC Module.

What is the exact difference between those two?

When i use PHP suEXEC Support then all php scripts does not work.
When I use only suEXEC Module then all scripts works OK.

Is suEXEC Module enough for improved protection and preventing to run as nobody or not?

Thanks for answers!

jailbird2

[Devil Inside]

nope - php_suexec is best.

I assume you're getting 500 internal server error when running a php script with php_suexec?

If that's the case - you'd just need to change permissions on php scripts to 644.

php_suexec disallows the operation of php scripts that have insecure permissions. It forces a higher level of security for the server more or less.

(that's the short version)

[jailbird2]

Thanks for answer, only problem is that 644 still generates 500 Internal server error. 666 also, 755 also, even 777 in most cases do the same thing.

jailbird2

[flashwebhost]

You can check error log in Cpanel, that will give you reason for the error. May be the folder containing the php scripts got 777 permission

[Devil Inside]

I think you then need/want to run all these scripts via root shell:

/scripts/initsuexec
/scripts/fixallcartswithsuexec
/scripts/fixmailmanwithsuexec
/scripts/fixoldlistswithsuexec
/scripts/fixsuexeccgiscripts
/scripts/postsuexecinstall
/scripts/phpopenbasectl
/scripts/chownpublichtmls

And of course in WHM:
Security --> Tweak Security --> Php open_basedir Tweak --> Configure
Enable it.

Exclude the hostname of the server if you allow your clients to access their web space via http://hostname/~username/ before their domain propagates. If they use the IP rather than the hostname - you shouldn't need to exclude the hostname from protection.

[sprintserve]

Suexec in WHM is for CGI. PHPSuexec in apache compiles is for PHP.

If you are getting 500 errors and permissions is correct, check your .htaccess for PHP flags. Those will break a site under phpsuexec.

[Devil Inside]

Oh - right on sprintserve. Forgot to mention that.

Additionally - if you need to control PHP directives - as sprint mentioned, it won't work in .htaccess.

Instead - you'll need to set php directives using php.ini files.

However, with .htaccess - the settings carry down into all directories below the one that the .htaccess file is located in.

php.ini will not do this. Instead - a php.ini must be located in each directory that requires the changes made in the php.ini.

[brianoz]

In my experience, the most likely cause of the 500 error from a PHP script is a problem with script ownership, and this isn't mentioned above. For instance, if a script is running under the user somesite and URL www.somesite.com/index.php, you'd need to make sure index.php is owned by user somesite. (it should be sufficient for it to be owned by root, but it isn't).

Check out /usr/local/apache/logs/suexec_log for the exact cause; if the cause was suexec related, there will be a line there which will help.