PHPSUEXEC – Urgent Update

Posted by BetterWebSpace

Dear Customers,

We’d like to announce that we have installed PHPSUEXEC on a few of our existing servers.

This change was made URGENTLY yesterday on one server, due to the exploits of several users dragging the server down, a few changes are needed to ensure your website runs smoothly. Until that time you MAY experience errors viewing your site. We apologise for the inconvenience this may be causing, but it became a close call last night between doing this and switching the server off completely!

A few changes might be needed on your website’s configuration files (.htaccess) (do not panic!).

All the php_flags in your .htaccess will have to be moved to php.ini, which you will have to create in your public_html directory.

Example:
.htaccess ? php_flag register_globals on
php.ini ? register_globals=on

The file php.ini will handle all the extra settings you need to set in php.
So, basically you will have to move every command on .htaccess that starts with php_flag.

Differences between phpsuexec and “regular php”:
When using the common PHP installation on a webserver, php runs as the user nobody and it doesn’t require the execute flag to be enabled.

The problem on this is that if mod_openbasedir is not installed (we have this at BetterWebSpace), every user will be able to read your php files because everyone is virtually sharing the same username (nobody).

As most of you already know, PHP Files are not meant to be read, but parsed, and that is where the problem resides. PHP Files have to be parsed, otherwise everyone who is able to read your php file will see settings that you would probably want to keep private, such as your MySQL username and password.

PHPSUEXEC fixes all this because it requires php to be run as the file owner’s username. (for example: andre)

This is not everything it fixes though. PHPSUEXEC is also here to fix file ownership problems. This has been a common issue on a few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

It also adds security to your files as you can use permissions such as 600 or 700 in your files and your visitors will still be able to view them (parsed) in their browsers.

PHPSUEXEC will also refuse to serve any pages that are at security risk, for example with 777 as permissions. (will generate an Internal Server Error)

Troubleshooting Internal Server Errors (Error 500):
Everytime an internal server error occurs, it will be added to your Error Log in cPanel. (cPanel ?? Error Log). This will usually give you a clue on where the error resides. In most cases it will be either a permission error on a bad command in your .htaccess file (remember that all php values have to go to your php.ini file).

Directories that need to be written onto will no longer require 777 as permissions and phpsuexec will refuse to write or read on directories exposed with such permissions. You will have to chmod them to 755 always.

To simplify it, just remember that you should never have a file or folder with world-writeable permissions, because you no longer have to.

MIMETypes:
If you added a Mimetype to the system in order to run html files as php scripts (AddType as .htaccess command), you will have to remove it and add an ApacheHandler instead. This is easy to do though. Just log into your control panel, then click on Apache Handlers and add the following:

Extension: html (or htm)
Handler: application/x-httpd-php

QuickStart for impatient users:
Technically, PHPSUEXEC will make sure your scripts and directories abide by the following security rules:

  • User executing the wrapper must be a valid user on the server.
  • The command that the request wishes to execute must not contain a /.
  • The command being executed must reside under the user’s web document root (public_html).
  • The current working directory must be a directory.
  • The current working directory must not be writeable by group or other.
  • The command being executed cannot be a symbolic link.
  • The command being executed cannot be writeable by group or other.
  • The command being executed cannot be a setuid or setgid program.
  • The target UID and GID must be a valid user and group on the system.
  • The target UID and GID to execute as, must match the UID and GID of the directory.
  • The target execution UID and GID must not be the privileged ID 0.
  • Group access list is set to NOGROUP and the command is executed.

Protecting your php.ini file:

To protect your php.ini you should set its permissions to 600. Additionally you can add the following line to your .htaccess file:

Code:
<Files *.ini>
  Order deny,allow
  Deny from All
</Files>

WordPress Bloggers:
If you encounter any problems with your .htaccess file (mod_rewrite instructions), you can fix this by downloading the following:
http://boren.nu/archives/2005/03/07/…ewrite-plugin/

We have updated WordPress in Fantastico so it is configured for phpsuexec from the start. So if you are desperate you can always reinstall WordPress from Fantastico. (Just remember to download a database backup first!). After it’s installed, just change your MySQL configuration settings in WordPress.

Drupal and other Content Management Systems:
You might experience a few errors, such as “Call to undefined function: user_access()”. Add the following code to php.ini to fix it:

Code:
session.save_handler = files
session.cache_limiter = nocache

That’s it. I know it may look complicated, but it should be technically easy.

Thanks!

BetterWebSpace
Where hosting just got better…

Filed under: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *