Re: [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment

Wed, 26 Oct 2011 17:00:36 -0700

Because PHP is embedded within HTML, PHP web scripts cannot use a shebang, so it is a necessity that the php-cgi binary (/usr/bin/php-cgi in our environment) be executed with the script as an argument, rather than the script being executed directly (or at least this is my understanding, and I have not found any information on the internet to the contrary). This creates a problem with the requirement that all files executed by suexec be in the userdir, because obviously the php-cgi binary is not. This situation is unique to PHP, I think, because of the embedding in to HTML. That said, PHP is incredibly common and I can't believe that a good solution hasn't been created for this. At this point I'm thinking the best solution is suphp and suexec alongside each other, because suexec seems to have been poorly designed for handling scripts that must be explicitly run with an interpreter (which, in its defence, is only PHP that I'm aware of). 

Please let me know if I'm wrong on any of these points.

On 10/26/2011 12:22 AM, Steve Swift wrote:
I don't understand how suexec is "calling" php-cgi, and how such php scripts work.
I use SUEXEC on a couple of very different systems. My scripts (as is required) run from a directory below my DocumentRoot. In turn, they use the shebang method to invoke the programming language: 
#!/usr/bin/rexx --
As far as I'm aware, this executable can be anywhere; the restriction is on where the SCRIPT is housed, not where it's processing executable lives.
Once my script starts executing under suexec, it can run more or less any executable/binary that my own userid has access to; at least, I've never run into any problems.
On 25 October 2011 22:07, Jesse B. Crawford <jean...@nmt.edu <mailto:jean...@nmt.edu>> wrote: 

    >From the
    documentation I have read (and it is quite possible I'm missing
    something), suexec can only call binaries within the userdir, not
    somewhere on the rest of the system. This makes PHP difficult since
    php-cgi must be called.

--
Steve Swift
http://www.swiftys.org.uk



--
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining&  Tech.

jean...@nmt.edu // http://nmt.edu/~jeanluc

Reply via email to