Apr 22nd, 2010
Run PHP as user instead of as the web server user nobody.
Run PHP as user instead of as the web server user nobody.
suPHP is a tool for executing PHP scripts with the permissions of their owners.
It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.
You can run PHP as the user (like CGI scripts do with Apache’s suEXEC), with EasyApache’s PHP As User option. This will enable suPHP, greatly improving the permissions situation.
Vulnerable scripts will be limited to the user in question, and are less likely to affect other users. It also changes how PHP interacts with Apache; for example, directives like php_$value are not valid for mod_suphp.
mod_suphp is considerably slower than mod_php.
PHP runs as part of the web server so that, among other things, certain tasks can be done once and held in memory instead of repeated with each request. This helps to speed the server’s performance, and requires that PHP run as the web server’s user “nobody.”
Since that is the case, PHP and directory permissions generally need to be very loose, so PHP can manipulate things. This can allow any user to employ a PHP script to read and write other users’ data. At times, a flaw in PHP can even allow a PHP script to gain root access or take over data in requests on other users’ PHP scripts.
Reference : http://www.suphp.org/
: http://cpanel.net/