My SuPHP lesson

**mersh** · 12-22-2008, 04:41 PM

Wow did I learn a lesson today from the techs at http://www.CanadianWebHosting.com (figure I'll plug them because they helped me beyond the actual support I'm paying for, but didn't charge me)

What I did know, was that php runs on my server as user "nobody" and that in order for me to be able to run Vshare I had to set file permissions to 777 on many folders and a few files. I never felt good about that because I always thought it left the sever open to compromise, since anyone with the knowhow could hack and write to the files.

I also know that suphp forces php to work as the user of the site, instead of use "nobody". But every time I turned it on, I started getting these "Internal Server Error 500" errors.

What I DIDN'T know was, if you are running suphp, you cannot have file permissions set higher than 755, so every file I had set to 777 was causing an error.

So today I'm going to go turn on suphp again to tighten up security, and then go through my sites and change any 777 permissions to 755. Ugh, I don't look forward to that, but I do look forward to having more secure servers.

When I'm done if everything is working well, I'll make a few posts in the wiki, under the installation, to clarify that
A) everyone SHOULD be running suphp (and Apache suEXEC which is different but also needed for security) and
B) how to set the permissions for Vshare so that the configuration errors don't occurr.

**bplex** · 12-23-2008, 01:22 AM

That would be great Mersh. The only problem, however, is that suPHP (suEXEC for PHP) is not very well known. In fact, about 98% of all hosting companies have either never heard of it or do not install it. The only system that I know of that actually comes with suPHP out of the box is CPanel (cringe), but even then, you have to recompile CPanel to actually turn it on and use it.

One thing to note, however, is that with the permissions, if you are using suPHP, these are what you are going to want set:

1. PHP files: 0644 preferred or 0755 (note that PHP does not need execution permissions as PHP is never executed directly.
2. All files that require editing by vShare: 0666
3. Directories: 0755 preferred or 0777

Also, note that in the permissions I prefixed them with a "0." That digit is known as the "sticky" bit. By prefixing your permissions with a "0," you remove the ability for remote editing. If you wanted to allow remote editing (which does have some usefulness), you would set it to "1."

**mersh** · 12-23-2008, 01:53 AM

Not sure why you cringe at Cpanel - I LOVE Cpanel, found it after years of using Ensim, which is the most painful control panel in history. Cpanel makes everything easy, and since I started using (over a year ago) I've had zero downtime because of botched php, apache, mysql or control panel updates. Ensim updates always crashed my system, and Ensim made it very difficult to update Apache or Php or Mysql.

Of course, if I had YOUR knowhow, I likely wouldn't need a control panel of any kind :)

Didn't know that no one's heard of suphp, won't likely bother to touch the wiki then because it will just serve to confuse.

To turn it on in Cpanel takes less than 60 seconds, and you can do it without recompiling (at least on the latest version which was just released - Cpanel Accelerated) by going to the apache config and clicking on the "Configure SuEXEC and PHP" link. You can then choose to have php run by cgi, dso or suphp. Takes about 30 seconds to rewrite your php.ini and you're good to go.

**bplex** · 12-23-2008, 02:37 AM

I can't stand CPanel for a couple of reasons. One, it compiles everything (when it shouldn't on binary-package based systems). Two, it it integrates terribly into the system. Now, I will say that Ensim is terrible too and CPanel is much better than Ensim. But, there are better panels out there than CPanel.

As for CPanel and compiling, when you make that change, it does recompile CPanel. It doesn't take long, but it does.

**mersh** · 12-23-2008, 06:37 AM

I'm not sure what you mean by "integrates terribly into the system." You can use cpanel to within minutes, upgrade perl, apache, php... you can install perl modules, ruby modules, handle all your dns, all your email accounts, set up name servers, all your domains, set up and configure a software firewall, install a dozen or more popular php based applications (several dozen if you have fantastico deluxe plugin).... run security checks and get advice about security settings... all your routine server functions can be done in seconds with cpanel with virtually no technical knowledge and without ever having to log in to the shell.

In fact, installing ffmpeg, mencoder, etc. was the only thing in over a year that I could not do with cpanel. I think its an awesome control panel. And as you mentioned, it comes standard with the ability to run suphp which to me is a major security blanket.

But each to his own I suppose... I'd trade it for your technical prowess :)

**bplex** · 12-23-2008, 07:02 AM

You have to be a sysadmin to understand what I mean.

**mersh** · 12-23-2008, 07:55 PM

Thanks to Cpanel, I can be a sysadmin WITHOUT understanding what you mean :)

But I believe you....

Would love to see some examples of what you consider a better control panel... maybe I'm missing the boat without realizing it.

**bplex** · 12-23-2008, 07:58 PM

I particularly like DirectAdmin for its simplicity. I also like Plesk. Neither of those panels are "direct system" panels. Rather, they are add ons to what is already available on the system.