Re: Apache/PHP/FTP and user rights

To: <debian-isp@lists.debian.org>
Subject: Re: Apache/PHP/FTP and user rights
From: "Phillip Baker" <phil@lchost.co.uk>
Date: Fri, 2 Aug 2002 20:32:42 +0100
Message-id: <[🔎] 008401c23a5b$5ea1c450$0a00000a@kala>
References: <[🔎] 003001c23982$409da480$0a00000a@kala> <[🔎] 1028296844.645.3.camel@vishnu>

Hi Shri,

> What is the performance hit for this (if any) ? and how much of a PITA
> is it ? Also, do you have any links ? I've never used suexec, are there
> any limits on the number of users or such ?

I must admit I never did a performance comparison, but from a completely
objective point of view it seems plenty fast on my dual p3 1GHz server :)

I'm sure theres some performance hit in passing the data inbetween the
webserver and PHP using CGI but the interpreter itself shouldn't really be
much faster or slower as such, so its shouldn't be too bad.

If by user limit if you mean the number of processes running at once, I've
certainly not hit any problems to date.

As someone pointed out, my individual copies of the PHP binary are
unnecessary if you simply hard link to it and make the link belong to the
user it should work (I believe)

Debian has a php4-cgi (I think it's called) package, but I cant recall in
particular what this sets up (if anything).

For each virtualhost directive in httpd.conf I have:

ScriptAlias /cgi-bin/ /www/<website url>/cgi-bin/
....
User  <username>
Group <groupname> (same as username typically in debian)
....
AddType application/x-httpd-php4-cgi .phtml .php4 .php .php3
Action application/x-httpd-php4-cgi /cgi-bin/.php

And that works quite well.

Naming their interpreter .php hides it from most ftp tools and suchlike and
will help prevent them deleting it, although you could always remove write
access as well as they shouldn't need to write to the interpreter :)

You'll need to recompile suexec if your cgi-bins are outside of /var/www in
order for it to work, and  overwrite apache's copy. You'll also find suexec
won't run files which are not chown'd to the right user and may also refuse
to
run php that isn't chmod 700.

I don't know of any HOWTOs for this, I had to ask someone in the know
about it and learnt that way. I do intend to write my own set of HOWTOs
for things I've done which don't seem to be particularly well documented at
some stage but I've simply not had the time so far :/

If you need a hand at any stage, let me know and I'll do my best to answer
your questions.

Regards,
Phillip Baker
LC Host Administrator
phil@lchost.co.uk

Reply to:

References:
- Re: Apache/PHP/FTP and user rights
  - From: "Phillip Baker" <phil@lchost.co.uk>
- Re: Apache/PHP/FTP and user rights
  - From: Shri Shrikumar <shri@urbyte.com>

Prev by Date: Re: /root/ drwxr-xr-x?
Next by Date: Re: /root/ drwxr-xr-x?
Previous by thread: Re: Apache/PHP/FTP and user rights
Next by thread: mail-config?
Index(es):
- Date
- Thread