PHPSuExec Tips
From OCS Support Wiki
Contents |
Introduction
To solve many security and usability issues with PHP, our newer servers have PHPSuExec. This lets PHP run as your username, instead of the user nobody or www-data. This provides the following benefits:
- Scripts run as your username, so they are now completely isolated from other processes, increasing security
- You can put your own
php.inifile in yourpublic_htmlfolder and include nearly any custom PHP options you want - Directories no longer need to be 777 for PHP to write to them
- Files written by PHP scripts are no longer owned by
nobodyorwww-data
PHPSuExec is not enabled on all servers yet!
If you would like to be moved to a PHPSuExec server, please let us know.
Permissions
PHP scripts, for optimum security, must run with 0640 permissions. You can set these permissions on all PHP scripts over your entire account with a few commands in SSH:
cd find -name \*.php | xargs chmod 0640
If you do not take this step, some PHP scripts may not work, and it may create security problems.
Folders that contain PHP scripts must be 0755, and not 0777. Any folder with 0777 will create a 500 error (Internal Server Error) and the script will not be run.
You can ensure all folders in your web root are set to 0755 by running the following command:
cd ~/public_html find -type d | xargs chmod 0755
File Ownership
All PHP scripts must be owned by your username. This normally isn't a problem, but if you were migrated from a server that didn't have PHPSuExec and you still have files owned by nobody in your account, please open a ticket and we'll resolve this for you.
Using a Custom php.ini
If you wish to use a custom php.ini file, you may put it in the public_html folder of your website. In it, you may specify custom directives. We recommend only advanced users do this, as you might change the behavior of PHP on your account that may adversely affect your website.
If you do use a custom php.ini, add this to your .htaccess file in your public_html folder to ensure no one can read that file:
<Files *.ini> Order deny,allow Deny from All </Files>
Using a Custom php.ini Over Entire Site
If you have many folders that have PHP scripts on your site and wish to apply the same settings to all of them, create your php.ini file in your home directory (i.e. /home/user, where user is your cPanel/FTP/SSH username) with the settings you want then add:
SuPHP_ConfigPath /home/user
(replace user. with your cPanel/FTP/SSH username)
Parsing HTML as PHP
If you wish, you can parse all .html files on your site as PHP scripts. To do so, add the following line to your .htaccess file in your public_html folder:
AddType application/x-httpd-php5 htm html
NOTE: We do not recommend doing this unless you absolutely have to, as it will reduce the performance of your site a small bit. This is no longer necessary to do for SEO (Search Engine Optimization) purposes.
Enabling register_globals
PHP's register_globals is an insecure setting. We have it turned off to dramatically increase security. If your script must have it on, you can add:
register_globals = On
to your php.ini file inside your public_html. We STRONGLY recommend not using this though if you can help it at all, because this is insecure. Contact the author of your script for an updated copy that does not depend on register_globals.
