Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment
From: "Jesse B. Crawford" <jeanluc@xxxxxxx>
Date: Wed, 26 Oct 2011 18:00:01 -0600
In-reply-to: <CAM_L6Z9YEYZVciZgNWz=Dy0QWspJm5zA7H4ONKh60LcLpC_8iQ@mail.gmail.com>
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc13 Thunderbird/3.1.10

Because PHP is embedded within HTML, PHP web scripts cannot use a shebang, so it is a necessity that the php-cgi binary (/usr/bin/php-cgi in our environment) be executed with the script as an argument, rather than the script being executed directly (or at least this is my understanding, and I have not found any information on the internet to the contrary). This creates a problem with the requirement that all files executed by suexec be in the userdir, because obviously the php-cgi binary is not. This situation is unique to PHP, I think, because of the embedding in to HTML. That said, PHP is incredibly common and I can't believe that a good solution hasn't been created for this. At this point I'm thinking the best solution is suphp and suexec alongside each other, because suexec seems to have been poorly designed for handling scripts that must be explicitly run with an interpreter (which, in its defence, is only PHP that I'm aware of).

Please let me know if I'm wrong on any of these points.

On 10/26/2011 12:22 AM, Steve Swift wrote:

I don't understand how suexec is "calling" php-cgi, and how such php scripts work.

I use SUEXEC on a couple of very different systems. My scripts (as is required) run from a directory below my DocumentRoot. In turn, they use the shebang method to invoke the programming language:

#!/usr/bin/rexx --

As far as I'm aware, this executable can be anywhere; the restriction is on where the SCRIPT is housed, not where it's processing executable lives.

Once my script starts executing under suexec, it can run more or less any executable/binary that my own userid has access to; at least, I've never run into any problems.

On 25 October 2011 22:07, Jesse B. Crawford <jeanluc@xxxxxxx> wrote:

>From the
documentation I have read (and it is quite possible I'm missing
something), suexec can only call binaries within the userdir, not
somewhere on the rest of the system. This makes PHP difficult since
php-cgi must be called.

--
Steve Swift
http://www.swiftys.org.uk

-- 
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining & Tech.

jeanluc@xxxxxxx // http://nmt.edu/~jeanluc

Follow-Ups:
- Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment
  - From: Alexandr Normuradov

References:
- best practice: suexec with PHP5 in a many-user/non-technical-user environment
  - From: Jesse B. Crawford
- Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment
  - From: Steve Swift

Prev by Date: Re: Apache2 sporadically not interpreting php code
Next by Date: Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment
Previous by thread: Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment
Next by thread: Re: best practice: suexec with PHP5 in a many-user/non-technical-user environment
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]