[tech] suPHP installed

[David Adam]

(This is why PHP scripts were randomly broken for a few minutes tonight.)

suPHP, a suexec-style wrapper for PHP scripts, has been installed on 
Mussel. It is configured to only run against scripts in /home, and thus 
should only affect users' home directories.

For those playing at home, suPHP and suexec force CGI and PHP scripts run 
from the webserver to run as the user that owns them, rather than as the 
webserver process user. This is a security tradeoff - on one hand, it 
makes it easy to protect your own files against other people's scripts 
while still allowing your scripts to access and modify them. One place 
this is useful is when you need to have a database password in a 
configuration file that you would prefer others not to have.

It also improves system security, because it means that users cannot write 
scripts that go off and poke around in places that only the web server and 
its administrators should have access too.

On the other hand, suPHP makes it easy for problems with your scripts to 
damage your files (rather than those of the web server). PHP makes it very 
easy to shoot yourself in the foot, so be careful.

David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au