Page 1 of 2 12 LastLast
Results 1 to 40 of 49
  1. #1

    use phpsuexec or not

    I see that many hosts are using phpsuexec these days for security. I have a couple of reseller accounts... one of the reseller account is on a server which has phpsuexec while the other reseller account server doesn't have phpsuexec installed in it. Now I am planning to move to a dedicated server, but I am confused on to use phpsuexec on the new server or not. Both accounts have many PHP based websites. In general, I guess phpsuexec is more restrictive. So is there any other way to secure the PHP scripts other than to use phpsuexec ? Does mod_security come under this ? Please suggest.

  2. #2
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    I personally do not use it, in terms of "security" it may be easier to catch certain things however it will generally cause alot of problems and probably better just to leave it.

    Most people I have spoken to only use it because they think it's easier to find simple "hacks" such as perl bots on /tmp etc, but these again can all be restricted by mod_security and posix acls. Which again are easier to handle without using phpsuexec, if you really want to go the whole hog you could even hack up the perl binary to not allow execution from specific users, ie nobody.

    That's just my personal opinon , I am sure there are lots of people who prefer phpsuexec and ultimately it's down to your own experience with both.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  3. #3
    Join Date
    Nov 2001
    Location
    Philadelphia, Pa
    Posts
    949
    I don't consider mod_security and phpsuexec to be mutually exclusive. In fact, I would highly recommend running both. When you say 'it will generally cause alot of problems and probably better just to leave it', what are you referring to? The only 'problem' i've seen is a very slight performance hit, but in my experiences it's almost negligable.

  4. #4
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Derek I was primarily refering to support, support tends to increase when you have phpsuexec running, mostly due to permissions.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  5. #5
    Join Date
    Aug 2006
    Posts
    101
    With phpsuexec you can not have directory perms of 777. That covers reason number 1!

    The second is you are no longer allowed to run scripts as user nobody and as the hosting user instead. Now you no longer need perms of 777.

    Everything that works without phpsuexec should work with phpsuexec as long as ownership and permissions are set properly. If you have a dedicated server and compile in phpsuexec then make sure to set the fantastico configuration to phpsuexec so the perms are set proplery on installs.

  6. #6
    Join Date
    Aug 2006
    Posts
    101
    Support only increases if you have a ful server and then enable phpsuexec. Then things will need to be manually set with proper permissions and ownerships. Once the accounts on that server make the adjustments there should no longer be support issues regarding phpsuexec.

  7. #7
    I recommend using phpsuexec, for me it help a lot and almost all PHP scripts work well with phpsuexec.

  8. #8
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Personally, I think anyone running without phpsuexec is insane!

    Why? Because:
    • it allows you to track down ownership of runaway scripts more easily (you can see in the ps output who started them!);
    • it improves security between sites (file permissions don't need to be 777 etc);
    • it makes it easier to track down spammers (originator identified by mail headers);
    • it generally makes tracking down script compromises faster (via file ownership).


    Generally anyone complaining about it just hasn't used it, just as simple as that. There's only one case where I would NOT use it and that's where you need mod_php - for instance, on a VERY heavily loaded server dedicated to one or two accounts. In that case, there's no doubt phpsuexec is slower; but that applies to a tiny percentage of servers, for the rest of us phpsuexec is so far ahead it aint funny. The comments about support calls increasing are just rubbish.

    Don't cause yourself unnecessary extra pain, there's a reason so many of us use phpsuexec.

  9. #9
    Thanks a lot for the replies, especially brian.

    I've seen some scripts that refuses to work if the permission is not set to 777 (setting to 755 doesn't work). So if phpsuexec is installed, will those scripts work if we set them to 755 ? Similary, are there any scripts that requires to run under nobody only ?

    Finally, will all .htaccess directives work if we replace it with a php.ini file ?

  10. #10
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    498
    I run PHPSuExec without any problems. It's good for finding server abuse!

  11. #11
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Personally, I think anyone running without phpsuexec is insane!
    And from a developer (and admin's standpoint), it's more insane TO run phpsuexec. Why?

    PHPsuexec breaks things. Enough said there. Countless scripts need something setup so that phpsuexec will complain like mad. Like it, don't like it, it don't matter, but it breaks things.

    PHPsuexec is not security, it's a problem. Much like requiring 2 users to login via ssh, this is more of a waste of your admin's time, because the scripts that end up getting broken will always be passed off to the admin for "investigation", before it's determined they're phpsuexec problems.

    PHPsuexec lures individuals into a false sense of security. IE: "I have phpsuexec, nothing's going to happen".. Umm, no, that's not true.

    PHPsuexec isn't security, it's a problem. In fact, it's a "band-aid" to a problem. The problem isn't php, it is the incredibly poor development produced by countless companies which release products that have infinite vulnerabilities. Bad, Bad, Bad!
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  12. #12
    linux-tech, by "breaks things", do you mean it will break things at the time when phpsuexec is just installed in the server or do you mean it will break things later on ?

  13. #13
    It basically comes down to security vs. supportability. I think security absolutely has to come first, and this is one of the many reasons why webhosting turns out to be a lot more work than most people anticipate when they get into the business. You just can't have one user be able to write to the other users' directories like you would if things needed to be 777.

  14. #14
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    Quote Originally Posted by crystalz
    linux-tech, by "breaks things", do you mean it will break things at the time when phpsuexec is just installed in the server or do you mean it will break things later on ?
    How about both ! . If you're just moving TO phpsuexec, you'd better expect issues with existing scripts. If you've been using phpsuexec, again, you'd better expect issues to come up
    It basically comes down to security vs. supportability.
    No, it comes down to security vs. usability, not "supportability".
    If the customer can't use services, then yes, it will cause issues. This is why you don't use phpsuexec, because phpsuexec breaks things.

    phpsuexec doesn't help issues, it creates them. It enforces strict policies which are unrealistic in today's php world. Yes, it would (admittedly) be nice if individuals thought about this stuff in advance, but developers will always screw things up. So, should you disable gallery, simply because phpsuexec is installed? Or should you disable the problem itself, which is phpsuexec (note: that was just an example, phpsuexec causes huge issues server wide).

    The point? Phpsuexec is too limiting, and too problematic. While it provides a (limited) sense of security, said security can be replaced by proper security measures which inform the systems administrator if something goes wrong, or if something looks funny. THAT is proper security, not limiting what your customers can or can not do because you don't know how to implement things properly.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  15. #15
    Join Date
    Apr 2003
    Location
    Melbourne, AU
    Posts
    539
    Hold up guys. I can't find the phpsuexec project website. Is this proprietary software?

    I've been using suPHP and haven't been facing the problems mentioned above though.
    WK Woon
    CTO | http://www.aflexi.net - A flexible Network
    Building the next generation CDN platform - DEMO .... coming soon

  16. #16
    wKkaY, i searched some time back for phpsuexec, but can't find a site for it.

    I run phpsuexec in my hosting servers. I don't get any support request because of phpsuexec. Only few pooerly coded scripts need PHP scripts on a folder with permission 777, now most scripts have different folder for world writable data files with 777 permission. Even if a script break because of phpsuexec, just change the file/folder permission and it will work.

    With out phpsuexec how to track

    1. Your CPU usage is 100%, you know some of your client is running buggy script. How you find which user script it is ?

    2. One of your customer have a vlunerable script on his site. A scriptkiddy uploaded a file to /tmp folder, that you find after few days, by the time, the log files are rotated. How you will find which user site is vlunerable ?

  17. #17
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    1. Very easy, there are lots of methods and if they all fail just strace the processes and you will find out quite quickly.

    2. Why did you notice a day later? Mod_security, rename binarys, posix acls will all help stopping and reducing the effects of this.

    Logs should be available when you look at it, to make it easy to track.

    -Scott

    Quote Originally Posted by flashwebhost
    wKkaY, i searched some time back for phpsuexec, but can't find a site for it.

    I run phpsuexec in my hosting servers. I don't get any support request because of phpsuexec. Only few pooerly coded scripts need PHP scripts on a folder with permission 777, now most scripts have different folder for world writable data files with 777 permission. Even if a script break because of phpsuexec, just change the file/folder permission and it will work.

    With out phpsuexec how to track

    1. Your CPU usage is 100%, you know some of your client is running buggy script. How you find which user script it is ?

    2. One of your customer have a vlunerable script on his site. A scriptkiddy uploaded a file to /tmp folder, that you find after few days, by the time, the log files are rotated. How you will find which user site is vlunerable ?
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  18. #18
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    phpsuexec is a no-brainer, and for most of us it just works perfectly. It makes a complete difference between being able to see the cause of problems easily, and having to dig for them. It removes the need for having directories that are writable to everyone on the server, and PHP scripts that can be seen by the world.

    Sure, it breaks a few things, but they're few and far between - the main thing being some basic auth variables, and that is easily worked around.

    What phpsuexec provides is a basic tenet of security - separation of privilege. I just think that if you beleive that it's a superior solution to have everyone on a shared hosting server running under the same userid, you just don't get security on any level. Period. If there's an application that doesn't work under phpsuexec, it's insecure, and saying that the phpsuexec-style architecture is the problem is just ludicrous.

    linux-tech - listening to you one would think the entire world was broken by phpsuexec. I'm not sure what experiences you've had that could possibly cause you to think that, given that my experience and the experience of a number of others on here is the exact opposite!

    I'd like to see a few concrete examples of things that are supposedly broken by phpsuexec - I've run into very few. Gallery works just fine as far as I'm aware.

    And, by the way, phpsuexec is only one facet of Apache security. It's a helpful basic tool, not a final solution. Describing it as otherwise is unhelpful and potentially confusing! Remember, good security is multi-layered.

  19. #19
    Join Date
    Jul 2001
    Location
    Australia
    Posts
    222
    I actually think it is easier to code with phpsuexec on. No need to worry about the 777 thingy.

  20. #20
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    1. Your CPU usage is 100%, you know some of your client is running buggy script. How you find which user script it is ?

    You can make a php script to track what user it is.

    Hosts put so much security on there servers it gets to a stage where its annoying and pointless, most hosts whack on phpsuexec as a bandaid, while phpsuexec is good at finding who is abusing what. But this can be done in other ways that do not affect your clients.

  21. #21
    Quote Originally Posted by scribby
    You can make a php script to track what user it is.
    Most server admins here don't know how to do this and are not PHP or Perl programmers to code it themselves. Any free script available to do this ?

  22. #22
    Join Date
    May 2006
    Location
    Coimbra, Portugal
    Posts
    236
    Just running 'top' as root will show you who is abusing CPU using PHP

  23. #23
    Quote Originally Posted by sspt
    Just running 'top' as root will show you who is abusing CPU using PHP
    Only when you have phpsuexec installed ?

  24. #24
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    Quote Originally Posted by flashwebhost
    Most server admins here don't know how to do this and are not PHP or Perl programmers to code it themselves. Any free script available to do this ?
    Not that I know of, it took me a while to code one myself.

  25. #25
    Join Date
    Apr 2002
    Location
    Wirral/Cheshire/Meresyside
    Posts
    203
    i agree phpsuexec is best to have on and with mod_security is best!
    http://www.gocre8.co.uk - Liverpool Web Design
    http://www.outallnite.co.uk - Liverpool Clubbing

  26. #26
    Join Date
    May 2006
    Location
    Coimbra, Portugal
    Posts
    236
    Quote Originally Posted by flashwebhost
    Only when you have phpsuexec installed ?
    If phpsuexec or suphp aren't installed the processes will run as apache which is a big issue.

    Running as apache i can do the following:
    <?system("cat /etc/passwd");?>
    (Check all system users)
    <?system("ls /home/usernames_on_passwd_file/public_html");?>
    (List all user files/directories)
    <?system("tar -cf /home/my_home_dir/public_html/bad_guy.tar /home/usernames_on_passwd_file/public_html/");?>
    (Compact all user files into a tar)

    Since usually config.incs with mysql passwords are stored inside public_html you can easily get hacked if you have php without suexec and with:
    system fuction enabled (openbasedir has no effect in this function)
    shell_exec / exec if openbasedir is disabled

  27. #27
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    Quote Originally Posted by sspt
    If phpsuexec or suphp aren't installed the processes will run as apache which is a big issue.

    Running as apache i can do the following:
    <?system("cat /etc/passwd");?>
    (Check all system users)
    <?system("ls /home/usernames_on_passwd_file/public_html");?>
    (List all user files/directories)
    <?system("tar -cf /home/my_home_dir/public_html/bad_guy.tar /home/usernames_on_passwd_file/public_html/");?>
    (Compact all user files into a tar)

    Since usually config.incs with mysql passwords are stored inside public_html you can easily get hacked if you have php without suexec and with:
    system fuction enabled (openbasedir has no effect in this function)
    shell_exec / exec if openbasedir is disabled
    Thats what mod_security is for, and all my experiences with openbasedir have prevented any access outside of the directory's specified, I will do some testing when I get time.

  28. #28
    Join Date
    Mar 2005
    Posts
    359
    Im using phpsuexec on cpanel for at least 3 years without big problems... I got only with very OLD scripts, and since 1 year ago I dont have any kind of trouble.

    My only problem is related on running php caches like eaccelerator / APC, they didnt seem to work with phpsuexec enabled.

  29. #29
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by scribby
    Thats what mod_security is for, and all my experiences with openbasedir have prevented any access outside of the directory's specified, I will do some testing when I get time.
    You have to be kidding if you think mod_security would prevent any aspect of that script running; is that what you meant? I know openbasedir **might** (does it restrict the system() and passthru() functions?) help, but it makes a mess of a lot of PHP functions that are used by real life scripts.

    It's impossible to write a script that will tell in every instance what user started a script without phpsuexec (*). That's one reason why phpsuexec is so valuable. Another reason is that it prevents the "tar cf somefile /home/dirs/public_html" style of attack mentioned above.


    You can resist this all you like, but the arguments are getting more and more ridiculous and baseless; phpsuexec is not a bandaid; it's only part of a security solution, you need other things as well, but it is so good at what it does that it's essential, in my opinion.


    (*) A running script can very easily obliterate all identifying traces, even so that you can't look at it with lsof or other similar tools.

  30. #30
    The only disadvantages which I see with phpsuexec are the following:

    - php scripts are not running in symlinks
    - phpauth is not working anymore

    Another advantage is, if a script is creating a file, the customer has the right to delete the file again, because it's owned by the user.

    We are using now phpsuexec sind 2 years and love it.

    Mike

  31. #31
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    Quote Originally Posted by brianoz
    You have to be kidding if you think mod_security would prevent any aspect of that script running; is that what you meant? I know openbasedir **might** (does it restrict the system() and passthru() functions?) help, but it makes a mess of a lot of PHP functions that are used by real life scripts.

    It's impossible to write a script that will tell in every instance what user started a script without phpsuexec (*). That's one reason why phpsuexec is so valuable. Another reason is that it prevents the "tar cf somefile /home/dirs/public_html" style of attack mentioned above.


    You can resist this all you like, but the arguments are getting more and more ridiculous and baseless; phpsuexec is not a bandaid; it's only part of a security solution, you need other things as well, but it is so good at what it does that it's essential, in my opinion.


    (*) A running script can very easily obliterate all identifying traces, even so ththat you can't look at it with lsof or other similar tools.
    Openbasedir does not restirct any functions, it stops scripts/functions accessing outside of the directorys you specify.

    This then stops access to the bin file so you cant access commands like reboot, cat, ls, etc, tar... also stop people accessing the passwd file and other users home directorys.

    Openbasedir along with a CORRECTLY configured modsecurity ruleset is just as good as installing phpsusexec.

  32. #32
    Join Date
    Mar 2004
    Location
    Odessa, Ukraine
    Posts
    605
    I know a lot of tricks for avoid openbasedir. Hackers know more than me.

  33. #33
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    phpsuexec is now not maintained. cPanel picked it up and works on it so that it can be included with it.

    suPHP is the best options nowadays.
    ESC :wq!

  34. #34
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    Quote Originally Posted by andreyka
    I know a lot of tricks for avoid openbasedir. Hackers know more than me.
    Thats like me saying I know lots of tricks to avoid phpsu.

    The fact is that not just one extra security program is going to help you, you will need multiple.

  35. #35
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by scribby
    The fact is that not just one extra security program is going to help you, you will need multiple.
    Absolutely ... real security is a multi-layer approach. You don't win a war by giving soldiers new shirts; you win by having good body armour, weaponry, mobile tanks, inbuilt defences, perimeter monitoring and all those good things.

    Quote Originally Posted by scribby
    Openbasedir does not restirct any functions, it stops scripts/functions accessing outside of the directorys you specify.
    Well, it doesn't restrict too much but it does stop nearly every sophisticated script from running so should be unacceptable to any host that allows programming.

    Quote Originally Posted by scribby
    This then stops access to the bin file so you cant access commands like reboot, cat, ls, etc, tar... also stop people accessing the passwd file and other users home directorys.
    These should be protected by ownership and permissions, with root only access to the critical commands. Things like "reboot" require root permission to work, and it's actually the bin *directory*, in case you didn't realize.

    Quote Originally Posted by scribby
    Openbasedir along with a CORRECTLY configured modsecurity ruleset is just as good as installing phpsusexec.
    You just don't understand what phpsuexec or suPHP do, as they're not the same as openbasedir at all. And one should also run mod_security with phpsuexec, to not do so is foolish. Openbasedir adds little in the way of protection (it can be circumvented, probably easily), breaks scripts, and generally adds a false sense of security.

    The true value of phpsuexec is that it allows unix file system and user security to keep running processes apart. This keeps users out of each other's files, makes it clear where spam is coming from, and helps isolate the source of runaway processes.

    I'm not saying openbasedir doesn't help, just that I think it's a weaker solution than phpsuexec for simple architectural reasons - having all the users on the system share the same userid and file access rights is architecturally ludicrous.

  36. #36
    Join Date
    Apr 2006
    Location
    Mumbai, India
    Posts
    184
    Is it true that eaccelerator doesn't work with phpsuexec?

    What about with suPHP?

  37. #37
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    Quote Originally Posted by Webberzone
    Is it true that eaccelerator doesn't work with phpsuexec?

    What about with suPHP?
    I heard phpsuexec is not developed anymore so you should use suPHP anyways?

  38. #38
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by Webberzone
    Is it true that eaccelerator doesn't work with phpsuexec?

    What about with suPHP?
    phpsuexec and suphp both work by running the php instance separately under a separate userid. This adds enormously to security but breaks all php acceleration attempts that work by caching code, as there's nowhere to cache any more. So, yes, they don't work with phpsuexec and I'm fairly sure they don't work with suPHP. It actually should be possible to develop something perhaps caching in shared memory but it's not trivial.

    phpsuexec isn't developed any more but that's mostly irrelevant as it doesn't need to change, and it's standard on cpanel servers.

    If you're running a heavily loaded server, suPHP/phpsuexec will slow you down noticeably - just how much depends on the exact pattern of PHP usage - can vary from 20 to 1000 times from reports I've heard. It won't slow you down if the usage is widely spread - it will slow you down if there are a few heavily accessed accounts.

  39. #39
    Quote Originally Posted by Scott.Mc
    1. Very easy, there are lots of methods and if they all fail just strace the processes and you will find out quite quickly.

    2. Why did you notice a day later? Mod_security, rename binarys, posix acls will all help stopping and reducing the effects of this.

    Logs should be available when you look at it, to make it easy to track.

    -Scott
    Scott is totally right for all what he said...

    if you are all talking about tracking hacked users ... files got in /tmp........ etc
    whatever !!!!!! why would u let them to get in there !!!
    but what you didn't notice... With a simple Exploit in a client website like remote include...... first of all he won't have hard thoughts to find a 777 Directory to upload a shell script to it.. because he is already have the USER permission not nobody or something.. and in same time he can easily use the shell scripts to edit the website index >>>>>> DEFACING it easily or deleting it even.. !!
    and even another tweak i hate in phpsuexec.. that they can overwrite your php.ini settings with simply uploading a php.ini in a directory
    thats usefull for some ppl .. but i don't like to be easy target for anyone...

  40. #40
    Quote Originally Posted by andreyka
    I know a lot of tricks for avoid openbasedir. Hackers know more than me.
    looooooooooooool me2 open_basedir and safe mode , suexec also
    priv8 world r0x

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •