Re: PHP4 + ApacheVirtualHosts + SUEXEC

To: sickboy@pardey.org
Cc: debian-isp@lists.debian.org
Subject: Re: PHP4 + ApacheVirtualHosts + SUEXEC
From: "Eirik Dentz" <eirikdentz@brainlink.com>
Date: Thu, 04 Jan 2001 15:39:33 -0500
Message-id: <[🔎] web-3924646@brainlink.com>
In-reply-to: <[🔎] 3A54BA05.77DCEBBA@hszk.bme.hu>

Thanks for the response. Thanks for the info regarding the
PHP-LIB developer's set up.

Nonetheless it leaves me very curious as to why the PHP
module is built this way.  I'm wondering if there are
functions in the PHP module that would leave security holes
in the suexec wrapper?  I don't suppose there is anybody out
there with the experience, inclination and time to explain
the rationale behind this?

I've never actually used them so please pardon my ignorance,
but does using mod_perl with Mason to embed perl code in
HTML cause a similar problem with suexec?

eirik


On Thu, 04 Jan 2001 18:59:33 +0100
 Sickboy <sd209@hszk.bme.hu> wrote:
> Eirik Dentz wrote:
> > 
> > I have a virtual host configured under Apache 1.3.14
> with SUEXEC support
> > enabled.  My CGI/Perl scripts run as the USER/GROUP
> specified in the Virtual
> > Host directive in my httpd.conf file as they should,
> but for some reason my
> > PHP4 scripts don't.  Rather they are running as the
> default USER/GROUP
> > specified in httpd.conf
> 
> ..because you have built PHP as a module.
> 
> > PHP4 is running as a DSO module.  I haven't tried it
> yet, but I figure that
> > if I switch to using PHP4 as a CGI it will run as the
> Virtual USER/GROUP and
> > solve this problem.
> 
> Yes.
> 
> > Is running PHP4 as a CGI the only solution?
> 
> Unfortunately, yes.
> 
> > Also, what are the disadvantages of running PHP4 as a
> .cgi?
> 
> Some functions are only available when PHP is running as
> a module.
> (I suggest searching for 'module' in the PHP standalone
> documentation - bigmanual.html)
> 
> e.g. : The script can not return 401 unauthorized
> response - this was one serious
> drawback I found. (But this is one of the _not
> documented_ disadvantages ;)
> 
> > Any help would be greatly appreciated.
> 
> I have asked this question several months ago on various
> PHP lists.
> The only answer I got was from the guy who developed
> PHP-LIB.
> They run PHP as a CGI with SBOX (like SUEXEC, but also
> chroots) using cookie based
> authentication (instead of http auth) where
> authentication is required.
> 
> In my opinion, this is the only way to run PHP securely
> on a server where
> independent virtual webs are served by the same httpd.
> (Of course, you
> might consider having each VW run its own httpd with PHP
> as a module..)
> 
> 
> .SiCk of IT.

Reply to:

Follow-Ups:
- Re: PHP4 + ApacheVirtualHosts + SUEXEC
  - From: Sickboy <sd209@hszk.bme.hu>

References:
- Re: PHP4 + ApacheVirtualHosts + SUEXEC
  - From: Sickboy <sd209@hszk.bme.hu>

Prev by Date: Re: PHP4 + ApacheVirtualHosts + SUEXEC
Next by Date: Re: PHP4 + ApacheVirtualHosts + SUEXEC
Previous by thread: Re: PHP4 + ApacheVirtualHosts + SUEXEC
Next by thread: Re: PHP4 + ApacheVirtualHosts + SUEXEC
Index(es):
- Date
- Thread