When it comes to php configuration, there are many options available. Users and administrators easily gets confused with this. Here is a small reference on some php configurations.
DSO – Provide this version of PHP via libphp4.so or libphp5.so (AKA mod_php). This is normally the fastest possible way to serve PHP requests, but PHP will execute as the user “nobody”. If both versions of PHP are available, it is impossible to configure both to be served as DSO unless the concurrent DSO patch was applied at build time.
SuPHP – Provide this version of PHP through mod_suphp. This is the most flexible way of serving PHP requests and tends to be very secure. PHP scripts are executed by the user who owns the VirtualHost serving the request.
FCGI – Provide this version of PHP through mod_fcgid. This is a very fast way of serving PHP requests, but php.conf will most likely require additional tuning to perform well. If Suexec is enabled, each user will create their own PHP FastCGI server automatically and PHP scripts will be executed by the user who owns the VirtualHost serving the request. If Suexec is disabled, the “nobody” user will own all of the PHP FastCGI server processes and PHP scripts will be executed by the “nobody” user. FCGI mode is recommended only for advanced administrators who understand how to tune the performance of mod_fcgid. Userdir requests will not function correctly with the basic mod_fcgid setup provided by cPanel.
CGI – Provide this version of PHP through mod_cgi or mod_cgid. If Suexec is enabled, PHP scripts will be executed by the user who owns the VirtualHost serving the request. If Suexec is disabled, the “nobody” user will execute all PHP scripts. Userdir requrests will not function correctly with the basic CGI setup provided by cPanel. It is intended as a fallback when the other preferred methods (DSO or SuPHP) are not available. Serving PHP as CGI is not particularly secure or fast regardless of whether Suexec is enabled.
Default PHP Version
This setting controls which version of PHP will be configured to handle the .php file extension. When both versions of PHP are enabled, .php4 will always be PHP4, .php5 will always be PHP5 and .php will be whichever is configured as the default. Overriding this setting in for individual VirtualHosts will be detailed below.
DSO Considerations
Apache directives like php_value and php_admin_value are features provided by libphp. This is the only setup where those are valid directives in .htaccess files or httpd.conf. When compiled with the concurrent DSO patch, php4_value, php5_value, etc should be used instead.
For PHP scripts to execute, permissions of 0644 are sufficient. The user “nobody” must have sufficient permissions to traverse to the PHP script and read it though. Any files created by PHP scripts will be created by the user “nobody”, so files and directories that will receive such output must be writable by that user.
SuPHP Considerations
EasyApache 3 compiles mod_suphp in paranoid mode with several patches to improve Apache userdir support. If you encounter problems with mod_suphp, please be aware that mod_suphp as shipped by cPanel behaves in very different ways than the pristine upstream version.
Apache directives like php_value are not valid for mod_suphp. It is possible to place a php.ini file in the directory containing the PHP script and specify these types of values in it.
NOTE: PHP does not merge the php.ini files together, so when a custom php.ini is used it must contain all of the required directives from the main php.ini file (for example, if Zend Optimizer is required, the new php.ini must load the extension.)
For PHP scripts to execute, permissions of 0400 are sufficient. Scripts are run as the user who owns the VirtualHost, and as long as this user has permissions sufficient to write to a file/directory, PHP scripts will also have the ability to do so. Mod_SuPHP performs various security checks before executing PHP scripts. Most can be disabled in Mod_SuPHP configuration file located at /opt/suphp/etc/suphp.conf
docroot – PHP scripts must reside under this directory. Default is /, change to /home/ to improve security.
allow_file_group_writable – prevents execution of PHP scripts with the group write bit set. Default is false. Changing to true will allow these scripts to execute but reduce security.
allow_file_others_writable – Same as above, others write bit.
allow_directory_group_writable – If you previously run PHP as DSO, you may have PHP scripts residing in a directory that is writable by group members. This security check prevents those scripts from executing. Default is false. Changing to true will allow these scripts to execute but reduce security.
allow_directory_others_writable – Same as above, others write bit.
check_vhost_docroot – This directive causes suphp to check that the target script resides in the document root of the VirtualHost serving a request. For a userdir request, SuPHP considers the domain part of the URL to be the VirtualHost serving the request. Setting this to true will cause userdir requests, and some types of PHP aliases to fail, though security will be significantly improved. Default it false.
userdir_overrides_usergroup – this is a configuration option allowed by cPanel specific patches. Setting this to true allows SuPHP to determine which user should execute a script from the userdir portion of the URL. Setting it to false will provide the normal mod_suphp behavior of executing scripts as the user specified by the domain portion of a URL.
paranoid_uid_check – Mod_SuPHP can be compiled with different security modes. EasyApache 3 uses the “paranoid” mode, though some scenarios are better served by the “force” mode. The paranoid UID check performed by mod_suphp verifies that the user ID that owns a script is the same one that is executing it. Setting this to false disables the UID check as in force mode.
paranoid_gid_check – Same as above, but with the group ID that owns the script. On some BSD systems it may be necessary to disable this check because files inherit the GID that owns the directory. Disabling this check should not significantly reduce security so long as the allow_file_group_writable and allow_directory_group_writable checks are left at their default values.
umask – The mod_suphp developers set this to a default of 0777 meaning that all permissions on files must be explicitly specified. This is a very secure setting, but causes many problems. The cPanel default is 0022. Use 0033, 0077, or 0777 for improved security.
min_uid – The lowest user ID that can own scripts being executed. Default value is 1. Set this value to 100 or 500 to greatly improve security. If you provide shared PHP scripts owned by root for your users, this value will need to be lowered to 0.
min_gid – The lowest group ID that can own scripts being executed. Default value is 1. Set this value to 100 or 500 to greatly improve security. If you provide shared PHP scripts owned by root for your users, this value will need to be lowered to 0.
full_php_process_display – When set to “true” mod_suphp will execute PHP scripts in a way that displays both the PHP interpreter and the SCRIPT_FILENAME in ps output. Setting this to “false” will improve security by hiding the SCRIPT_FILENAME.
The suphp.conf file includes a section called [phprc_paths] that can be used to override the standard handling of php.ini. To lock a particular PHP handler to its default php.ini file, simply uncomment the appropriate line under [phprc_paths]. There is also a configuration directive supported by mod_suphp in httpd.conf and .htaccess files called suPHP_ConfigPath that sets the path to the php.ini file. To prevent the use of this directive in .htaccess files, remove “Options” from the Apache AllowOverride setting. Note that the [phprc_paths] set in suphp.conf take precedence over any suPHP_ConfigPath settings.
FCGI Considerations
This is not a recommended configuration for PHP. It requires fine tuning of mod_fcgid to ensure that the server does not become overloaded with idle PHP processes.
Permissions of 0400 are sufficient to execute PHP scripts when running under Suexec. Permissions of 0444 are sufficient to execute PHP scripts when running with Suexec disabled.
With the standard cPanel FCGI configurations, the PHP binary is available as a URL in the VirtualHost. This should not be considered a very secure setup.
Userdir requests do not function with the FCGI setup provided by cPanel.
Apache directives like php_value are not valid for mod_fcgid. A custom php.ini file should be used instead as detailed in the SuPHP section above.
CGI Considerations
Like FCGI, this is not a recommended configuration for PHP. The PHP binary is available as a URL in the VirtualHost, and the setup is not very secure.
Permissions of 0400 are sufficient to execute PHP scripts when running under Suexec. Permissions of 0444 are sufficient to execute PHP scripts when running with Suexec disabled.
Several PHP options may prevent the CGI setup from functioning correctly, particularly DiscardPath and ForceCGIRedirect. If you are having trouble with this configuration, please verify these options are disabled.
Userdir requests do not function with the CGI setup provided by cPanel.
Apache directives like php_value are not valid for mod_cgi. A custom php.ini file should be used instead as detailed in the SuPHP section above.
No comments:
Post a Comment