PHP as a CGI application [SOLVED]

[empusa]

I've suffered several hacking attempts on my websites recently. My websites are on a shared server. I was daft enough to leave some directories open (chmod 777). The web sites were OK for a couple of years, but then became the target of a phishing gang. I have now locked the sites down but Apache needs access to some directories in order to run Elxis and other applications properly.

My hosting company have offered to move my sites to one of their newer servers. On these servers PHP runs as a CGI application, therefore all files belong to the user not httpd and there is no need to chmod 777. This would solve the security problem that I have been suffering from.

Can anyone tell me if there are any security issues with running PHP as a CGI application? Is it a good idea or not?

Pete

[Farhad Sakhaei]

This is suPHP , It is good for more security , Although you lose some features like some directions in .htaccess and ...
You can also put php.ini in your folders to overwrite the php configuration...
suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

PS: Another solution is using FTP and enabling it by Elxis

[Ivan Trebješanin]

You can also ask your hosting admin to install  suhosin extension for PHP, it is very good. http://www.hardened-php.net/suhosin/
However, server setup is very large topic, and we cannot cover everything here. There are a lot of specialized forums about servers and hosting out there.

[datahell]

I personally do not recommend running PHP under cgi mode.
It is slower but more secure as when it runs as an Apache module.

See what Ivan proposed you about the suhosin patch, it is very good solution. They also have pre-compiled PHP binaries with suhosin built-in.

"This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project"

I have never enabled safe_mode or open_basedir and never got hacked. If you set up php carefully and you follow basic security rules on your php applications you have nothing to worry about.

[empusa]

Many thanks for the replies.

I will have another chat with my hosting company to see if they will install suhosin. If not, I will transfer the sites to one of their newer servers with suPHP.

The hacks that I suffered were not the fault of Elxis. I believe that a hacker had purchased a hosting account on the same server as me and used a PHP script to look for writable directories and in other accounts on the same server. The hosting company are denying this, but its the only way it could have been done.

[Ivan Trebješanin]

Back in the days I used shared hosting, I had a exactly the same problem as you.
But, if you use suPHP, there some other things that need to be set up too, because suPHP can create generate a lot of problems if not set up properly. Again, server setup is far too large topic for this forum. Also I agree with datahell, running PHP as CGI is NOT a good solution at all.

[Farhad Sakhaei]

I don't know , Why Cpanel recomment to use Suphp and also Safe mode enable? 

[datahell]

Safe mode is a very strict security meter and it is very easy to enable. You just set safe_mode=on and finish. That is why they recommend it.
Cpanel's target group is mostly customers not so well experienced with linux and ssh environment, so just setting on safe_mode is a very easy solution to fight against hackers. But it is not the best... Safe_mode will be discontinued in PHP 6. Why? Do you think that the PHP developers got mad? I have not tested suPHP, but I like such solutions (as the suhosin patch). I prefer them than enabling safe_mode.

..and always remember, that absolutely security does not exist even if you enable all security patches and options. Sad, but true.

[ahmet]

why we dont all agree and keep  keep all elxis sites under one server.. we pay additionaly to the member of team who is responsible for security..
we pay less....and have great security..

 
by the way i would like to see in nautius is high slide plugin ..can both play images, videos, external htmls..