Thunder/Lightning :: Conversion to PHPSUEXEC

[Jason]

I will be enabling phpsuexec on Thunder and Lightning within the next 48 hours due to security concerns.   Thunder will be upgraded this evening.

Thunder:  Monday, June 19, 2006
Lightning:  Tuesday, June 20, 2006 or Wednesday* 

(Lightning may be pushed back depending on how smoothly Thunder transitions)

It is important that you read below to understand the impact this may have on your account.  Pay special attention to the section:  "What do I need to do to prepare?"

What is phpsuexec?
I found this text on multiple hosting sites so I'm not sure of the original author:

"When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody". Under this mode, files or directories that you require your php scripts to write to need to have 777 permissions (read/write/execute at user/group/world level). This is not very secure because besides allowing the webserver to write to the file it also allows anyone else to read or write to the file.

With PHP running as CGI with suexec enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method."

To cut to the chase, this script will GREATLY enhance our ability to keep the server secure and troubleshoot if the need arises.  In the event that any sort of script compromise occurs, spam is being sent, an accout is compromised, etc, phpsuexec provides more containment from a security perspective and also allows us to very quickly pinpoint these problems.  We're seeing issues from time to time on Thunder and Lightning that are taking us longer than needed to diagnose because of a lack of this.  I've been researching this for months (our latest server, Cyclone, was converted back in February), many hosts have moved this way already and I think it's certainly the time to get onboard. 

What do I need to do to prepare?
Before your server is converted, you will want to adjust permissions on your files.  Due to the way phpsuexec works, if you have files that are chmodded to 777 (which is often the standard for many scripts), you will get server error messages after phpsuexec is enabled.   You will want to lower those to 755.

I found this general troubleshooting info all over the web (not sure of the original source):

Troubleshooting
HELP my php script doesn't work or I have an error message.

1. Check that the php script that you are attempting to execute has permissions of no more than 755 - 644 will work just fine normally, this is not something that will need to be changed in most cases.

2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to also.

3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script.

The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.

How will this impact future clients or new scripts I install?
Once phpsuexec is in place and you've converted any existing scripts, you should hardly notice it's there.  It's not a new concept so most all major scripts should've been supporting it a long time ago.  If you have anything custom in your account, you may need to make sure it's workable.  Otherwise, there should be little to no noticeable impact to new users or new script additions.  The initial "learning phase" of switching permissions on existing scripts is typically the hard part.  Even then, it may be a breeze.  We'll find out. 

Why such short notice?
We've been looking into enabling phpsuexec on all servers since 2005.  However, it's been easier to fight small fires as they arise rather than making the jump and inconveniencing you with having to alter your sites.  This process has become time consuming and more importantly it means that finding problems when they arise takes longer -- resulting in longer outages in some cases.  An event in the last day has prompted me to react with less notice than I would normally hope to provide.  I always try to give as much of an advanced warning as I can pass on, however, this is a situation that I believe is best addressed immediately.

Just in case some of you don't get the notice before the upgrade tonight, I will be running some global commands on Thunder to adjust permissions before the upgrade.  That should hopefully prevent errors with users running files chmodded to 777.

Will you be supporting this?
Our server Cyclone had phpsuexec enabled back in February and it has performed quite well.  It makes it possible to see who is doing what on the server quite clearly which is key to fast troubleshooting if needed.  You can read about how the change on that server went here:

http://www.charlottezweb.com/forums/index.php?topic=356.15

I will be posting again to this thread once I start the installations.  I will be emailing a notice of this thread to all clients this afternoon so that everyone can post their comments/concerns here.

Please post your support questions to the forum (here) so that future users can use them going forward. 

--------------------------

More information on phpsuexec:

http://www.nsdesign.net/cgi-bin/newdesk/new/cgi-bin/kb.cgi?do=read&id=94&lang=en

http://www.cablan.net/cablan/What_is_PHPSuexec.449.0.html

https://emaxhosting.com/support/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=411

[CountryLady]

Thanks for keeping us all aware of what's going on and why, Jason -- its very rare in today's cyber world. Website and server security is a primary concern for all of us. Knowing you're there to help anyone who has difficulties is MOST reassuring.

Cheers for You, Jason~! I'm so happy I found Charlottezweb Hosting.

[The Librarian]

Hi Jason,

I dont know what server I'm on but I thought we had already done this back in Feb? So maybe I am ok.  I wont be around much this week as I am moving house, so maybe you can tell me if I am on these servers or not, and then I can start worrying later?

thanks

[Jason]

I dont know what server I'm on but I thought we had already done this back in Feb? So maybe I am ok.  I wont be around much this week as I am moving house, so maybe you can tell me if I am on these servers or not, and then I can start worrying later?

You're on Cyclone so this won't impact you.

Cheers,
Jason

[Jason]

We are going to begin the Thunder conversion now...

[Jason]

Thunder's conversion to phpsuexec is complete.  Please check your sites for functionality and post here if needed.

Thanks,
Jason

[Jason]

Note:  If you have chmodded your files to 755 (at the highest) and are still experiencing problems, make sure you don't have any php commands located in your htaccess file.  If you rename your htaccess file, that will likely fix your issues if you're having any.

[Powerbob]

Hi, well a little more warning would have been very helpfull. Instead I find the site down, and am getting sms after sms telling me  members cannot access the site! I am not a very happy bunny this day!

As to the explanation, well I am sorry but for us non-geeks its a joke! I am still not clear as to what to do to bring my site back on-line.

Some help here would go a long way to making amends!


Powerbob (ofbboard.com stiil down)

[Kris]

Man,

I don't like this at all.
(just emailed you too)

I'm abroad for business and get sms that all sites are down.

Next time you upgrade, you should just warn everyone at least one week before. Resources have to be planned etc. Putting a message here and a few hours later upgrade is just not done.

I like your hosting and service but the last month you've done this already twice... Last time I had to upgrade a lot of my sources and I lost a lot of data because of that...

Might be time changing hosts...

[Jason]

Hi, well a little more warning would have been very helpfull. Instead I find the site down, and am getting sms after sms telling me  members cannot access the site! I am not a very happy bunny this day!

As to the explanation, well I am sorry but for us non-geeks its a joke! I am still not clear as to what to do to bring my site back on-line.

Some help here would go a long way to making amends!


Powerbob (ofbboard.com stiil down)

Hi Powerbob.  I completely understand your frustration, but time was not an option in this case unfortunately.  I'll be happy to go into details here after we sort this out.

Make sure your files are no greater than 755 from a chmod perspective.  I ran a script to do this for everyone yesterday before the upgrade, so that is not likely your problem. 

If that doesn't do it, make sure you don't have an htaccess file in your public_html folder.  If you do, try renaming it.  That will likely solve the problem.

If not, please post here or email me directly with a path to the installation having issues.

I'm going to look into your account for you now.

- - - - -

Man,

I don't like this at all.
(just emailed you too)

I'm abroad for business and get sms that all sites are down.

Next time you upgrade, you should just warn everyone at least one week before. Resources have to be planned etc. Putting a message here and a few hours later upgrade is just not done.

I like your hosting and service but the last month you've done this already twice... Last time I had to upgrade a lot of my sources and I lost a lot of data because of that...

Might be time changing hosts...

Hi Kris,

I understand your frustration, but if you knew my reasoning, you'd understand.  In fact, the server itself was almost shut down this morning due to the reason behind my actions.  You pay me to keep your site online.  You have to trust that my actions are always going to be geared towards making the best decisions to keep that possible.  As I know you're aware, I always provide as much time as possible -- typically a week or so -- but that was not an option this time as I'll be happy to explain later.  I can't go into further detail at this time, but I will be happy to do so once this has been completed. 

As for the last upgrade to php5 -- I gave about a week's notice.  Your need to upgrade then was because of an outdated script.  You would've faced that same issue no matter who your host is. 

Have you followed the instructions above?  If your permissions are correct, have you renamed/removed any htaccess files you have in place?

I'm going to look into your account for you now.

Regards,
Jason

[Powerbob]

Well I found several files and dirs at 777 which I changed by hand to 755. 6 hours of frustrating looking and changing


Powerbob

[Jason]

Kris,

Your forum is up.  Please confirm.

Powerbob,

Looking into your's now.

[Jason]

Powerbob,

Your forum is up.  Please confirm.

Regards,
Jason

[Kris]

Kris,

Your forum is up.  Please confirm.

Powerbob,

Looking into your's now.

I've done it myself.
Have to keep my clients happy.

[tmlfever]

Off topic sorry, Jason did you get my PM?