I will be adding phpsuexec to Cyclone this coming Sunday afternoon/evening.
Sunday, February 26, 2006What is phpsuexec?I found this text on multiple hosting sites so I'm not sure of the original author:
Quote
"When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody". Under this mode, files or directories that you require your php scripts to write to need to have 777 permissions (read/write/execute at user/group/world level). This is not very secure because besides allowing the webserver to write to the file it also allows anyone else to read or write to the file.
With PHP running as CGI with suexec enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method."
To cut to the chase, this script will GREATLY enhance our ability to keep the server secure and troubleshoot if the need arises. In the event that any sort of script compromise occurs, spam is being sent, an accout is compromised, etc, phpsuexec provides more containment from a security perspective and also allows us to very quickly pinpoint these problems. We're seeing issues from time to time on Thunder and Lightning that are taking us longer than needed to diagnose because of a lack of this. Seeing as this is a newer server, I'm going to start with it just like we did php5 so the move is as painless as possible. Ultimately we will likely move to place all servers on phpsuexec due to all of its benefits. I've been researching this for months (literally) and many hosts have moved this way already and I think it's certainly the time to get onboard.
What do I need to do to prepare?Before this coming Sunday (Feb 26, 2006) evening, you will want to adjust permissions on your files. Due to the way phpsuexec works, if you have files that are chmodded to 777 (which is often the standard for many scripts), you will get server error messages after phpsuexec is enabled.
I found this general troubleshooting info all over the web (not sure of the original source):
Quote
Troubleshooting
HELP my php script doesn't work or I have an error message.
1. Check that the php script that you are attempting to execute has permissions of no more than 755 - 644 will work just fine normally, this is not something that will need to be changed in most cases.
2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to also.
3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script.
The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.
How will this impact future clients or new scripts I install?Once phpsuexec is in place and you've converted any existing scripts, you should hardly notice it's there. It's not a new concept so most all major scripts should've been supporting it a long time ago. If you have anything custom in your account, you may need to make sure it's workable. Otherwise, there should be little to no noticeable impact to new users or new script additions. The initial "learning phase" of switching permissions on existing scripts is typically the hard part. Even then, it may be a breeze. We'll find out. :)
Will you be supporting this?I will be taking off work the following Monday so that I can be available all night and day Sunday and Monday to help anyone that has any issues. Given the few accounts we have on this server now, I'm hoping it will be very quick and painless.
I will be posting again to this thread once I start the installation Sunday afternoon/evening. I will be emailing a notice to this thread to all clients on Cyclone in the next thirty minutes tonight so that everyone has a link to this post and can post their comments/concerns.
Please post your support questions to the forum so that future users can use them going forward. If we convert Thunder and Lightning, we're going to have quite a few other websites to tackle. :)--------------------------
More information on phpsuexec:
http://www.nsdesign.net/cgi-bin/newdesk/new/cgi-bin/kb.cgi?do=read&id=94&lang=en
http://www.cablan.net/cablan/What_is_PHPSuexec.449.0.html
https://emaxhosting.com/support/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=411
Quote
Pros/Cons from an ev1 forum post:
Pros
More Secure.
Identifyable Email
Runs as user not as nobody so forum avatar uploaded by users will be owned by the user not as nobody. This includes many other 3rd party scripts which permit uploads.
Disk quota will be more accurate as files will no longer be owned by nobody but rather by the user so proper quota will be calculated.
Cons
Runs just a bit slower since it runs as CGI
Some Fantastico installation may bomb after installation
Need to modify .htaccess to not use php directives (Educate your users)
Existing script may need to be re permed on some installations. EG PhpLive for instance. I have to chmod 0755 all php scripts even after uploading them via FTP. Depends on the scripts though, most of the time your users won't need to do a thing to continue using their sites. Depends on the situation really.
What does this mean I have to do? Do I have to go into every file and change the permissions?
Quote from: WSA on February 21, 2006, 10:25:43 AM
What does this mean I have to do? Do I have to go into every file and change the permissions?
Great question.
Two things come to mind at this point.
1. Make sure your files are properly chmodded. If you have any files with a permission of 777, they will need to be lowered. Permissions greater than 755 will cause your pages not to load.
You don't have to change permissions individually. Your ftp program should enable you to change full directories and files within them with one command. Let me know if you need further details on this.
2. I would also scour your sites and see what scripts you're using. Then check with those script developer's websites to see if there are any known issues with running them in a phpsuexec environment. There *may* be special instructions for doing so that will need to be followed. Maybe search "phpsuexec" in their forums and see what comes up. If you find any issues, feel free to let me know.
Thanks!
Regards,
Jason
Just to clarify, this ONLY affects PHP files right?
Also this does not mean that our folders need to be lowered from 777 to 755 right?
Quote from: Killer Possum on February 21, 2006, 04:05:40 PM
Just to clarify, this ONLY affects PHP files right?
Also this does not mean that our folders need to be lowered from 777 to 755 right?
Hi, my understanding is that this will impact all webfiles...your html files as well.
This may help:
"With PHP running as CGI with suexec enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method.
Files and directories also need to be owned by your user/group. You probably don't need to worry about this as all files you upload or create will be owned by your user/group automatically."
I see... ok.
Well it's good to know that with this then even with CHMOD 755 it will "act" as a 777 in that it will be writable by scripts. I think, if I understood that right.
Yes, 755 will be writable to scripts assuming they're scripts in your own account space. The point is that it will only run scripts within your account space as your account name and not allow "nobody" to run them as most current setups. There are lots of security advantages to this which should lead us to greater system health and uptimes.
Ok, Jason, so I'm using Ws-FTPLE which allows me to chmod folders, with tick marks for Read, write and Execute.
My folder /public_html and folder in there called /Yabbse (simple machines forum folder) are BOTH showing as:
Owner - Read & Write
Group - Read
Other - Read
Is that gonna do it?
How can I see the numerical codes: 777, etc?
Thanks
peter
Quote from: PeterL on February 23, 2006, 04:37:10 PM
Ok, Jason, so I'm using Ws-FTPLE which allows me to chmod folders, with tick marks for Read, write and Execute.
My folder /public_html and folder in there called /Yabbse (simple machines forum folder) are BOTH showing as:
Owner - Read & Write
Group - Read
Other - Read
Is that gonna do it?
How can I see the numerical codes: 777, etc?
The ability to see numerical codes may be a function of what version of the software you have. For example, in my WS-FTP PRO, I see a screen (below) with the check options as you described as well as a "Numerical Value" field where you can use the numbers.
Here's what 755 should look like though:
(filenames have been removed to protect the innocent 8) )
(http://www.charlottezweb.com/images/wsftpimage.gif)
My version of WSFTP is the freebie, and so the numerical values are not shown.
I think I'm gonna buy WSFTP Pro... I like the program and I'm used to it. I tried Filezilla, which was recommended by someone on the SMF site, but it just didn't seem to be as intuitive as WSFTP.
In addition to this, I today see my site is down because of permissions.
I don't know if these are changed because of the changes you are making to Cyclone, or if something else has changed. Here's what I get:
------
Warning: main(/home/enchant/public_html/yabbse/SSI.php) [function.main]: failed to open stream: Permission denied in /home/enchant/public_html/site_template/header_footer.php on line 2
Fatal error: main() [function.require]: Failed opening required '/home/enchant/public_html/yabbse/SSI.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/enchant/public_html/site_template/header_footer.php on line 2
-------
If this is NOT part of your Cyclonic changes, feel free to remove this message from the thread.
I'd appreciate your valuable help, once again.
Thanks
Peter
We haven't altered any configurations yet -- I'm not going to touch anything until Sunday.
I'll send out an email before and after I make the phpsuexec switch just so everyone is aware.
Check your permissions on that header_footer.php file. Might want to doublecheck ssi.php as well.
Cheers,
Jason
Just a side note here, PeterL, if you are going to go for a paid FTP solution I would highly recommend CuteFTP (Home or Pro depending on your needs). I've been using it for many years, I have Pro and upgrade it every time a new version comes out. And though I had WSFTP at my old job I had to make them buy me CuteFTP because it just works so well :D
www.cuteftp.com
I use SmartFTP personally. It's free and it does what I need it to do.
Got it... problem solved..
Thanks
Hi All...!
I Only have installed SMF 1.1 RC2.....so, how I have to give permissions??? (wich files or folders?
???
Ahh.....one more thing....you dont have to pay for a really good FTP solution....get Filezilla....
Here you could see the file attributes menu....
(http://img515.imageshack.us/img515/626/filezilla3gq.jpg)
Quote from: tianto on February 24, 2006, 02:45:38 PM
I Only have installed SMF 1.1 RC2.....so, how I have to give permissions??? (wich files or folders?
You can set everything to 755 if you'd like. Some files don't need to be that high, but for SMF it won't matter.
Just make sure nothing is above 755. That's the main thing to avoid.
Ok...thanks...! :D
jason,
good luck today on geting PHPSUEXEC on cyclone! glad to see you are constantly improving the quality of our hosting server.
thanks!
The conversion to phpsuexec will be started now.
I will update this thread once complete.
An email has been sent to all Cyclone clients again just now advising of the schedule.
Quote from: Jason on February 26, 2006, 06:52:18 PM
The conversion to phpsuexec will be started now.
I will update this thread once complete.
An email has been sent to all Cyclone clients again just now advising of the schedule.
The upgrade is complete.
Please check your sites immediately to make sure they're functioning properly.
Another note that I didn't mention before, if you're using your own .htaccess files, make sure there aren't any php-related commands in them.
Well, everything seems to be in order and working. And FWIW my directories that are 777 are functioning fine, so it looks like it only affects files :)
Quote from: Killer Possum on February 27, 2006, 12:19:49 AM
Well, everything seems to be in order and working. And FWIW my directories that are 777 are functioning fine, so it looks like it only affects files :)
Hmmm. Thanks for the feedback. I'm going to look into that one. :)
Everything is working fine on my site. :)