[tech] suPHP installed
David Adam
zanchey at ucc.gu.uwa.edu.au
Mon Dec 31 01:15:34 WST 2007
(This is why PHP scripts were randomly broken for a few minutes tonight.)
suPHP, a suexec-style wrapper for PHP scripts, has been installed on
Mussel. It is configured to only run against scripts in /home, and thus
should only affect users' home directories.
For those playing at home, suPHP and suexec force CGI and PHP scripts run
from the webserver to run as the user that owns them, rather than as the
webserver process user. This is a security tradeoff - on one hand, it
makes it easy to protect your own files against other people's scripts
while still allowing your scripts to access and modify them. One place
this is useful is when you need to have a database password in a
configuration file that you would prefer others not to have.
It also improves system security, because it means that users cannot write
scripts that go off and poke around in places that only the web server and
its administrators should have access too.
On the other hand, suPHP makes it easy for problems with your scripts to
damage your files (rather than those of the web server). PHP makes it very
easy to shoot yourself in the foot, so be careful.
David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au
More information about the tech
mailing list