Mon hébergeur utilise PHPSuExec mais je ne comprend rien à ce truc. - PHP - Programmation
Marsh Posté le 14-01-2004 à 09:51:12
Et alors, tu l'as lu ce texte que tu viens de poster ? Au hazard, essaye de faire une recherche pour 500 dedans
Marsh Posté le 14-01-2004 à 21:02:12
Et toi, t'as lu le topic ?
Je ne comprend pas ce qu'ils veulent que je modifie, je n'ai pas de fichier .htaccess dans les répertoires concernés.
Marsh Posté le 14-01-2004 à 21:58:22
C'est simple, un utilisateut peut lire les scripts sans qu'ils soient interprétés par PHP, donc les mdp et login peuvent être accessible, d'où un trou de sécu.
Le patch requiert que chaque script soit executés sous ton nom d'utilisateur pour plus de sécu...
Marsh Posté le 29-12-2003 à 22:41:58
Bonjour,
depuis quelques semaines, sur mon hébergeur Américain (ace-host.net), certains scripts PHP ont cessé de fonctionner pour cause d'une erreur 500 (erreur interne au serveur). J'ai contacté le support qui m'a répondu texto le message ci-dessous.
J'ai cherché à comprendre ce qui n'allait pas mais je ne trouve pas, je ne sais pas ce qu'ils veulent que je change pour que mes scripts remarchent correctement. Le forum PHPBB du site a déconné quelques temps comme ça, puis c'est revenu tout seul, enfin c'est inexplicable.
>>PHP - Important Info About PHP
We have recently added a security feature to our PHP/Apache setup called PHPSUEXEC. This may change how you use PHP on our web servers.
First off, for security, we want to run PHP with suEXEC. Why? Because that way scripts are executed under the username of the domain owner. This makes it easier to track what users are doing and emails that are sent. It also limits what they the user can modify and whether they can view session data in the /tmp folder. These are all important security considerations for a web host who has several customers on each web server.
The first thing you need to realize is that for PHP to use suEXEC, it must be run as a CGI. This is probably the most secure way of running PHP. This is in contrast to running it as a module (i.e. mod_php).
The problem with running php as a CGI is that it would require all PHP scripts to start with an opening spec (just like most UNIX scripts) saying what the interpreter to use is. For example, you would have to change ALL your PHP scripts to have the following first line:
code:--------------------------------------------------------------------------------
#!/usr/bin/php
--------------------------------------------------------------------------------
Now, this is a problem because we would then need to change ALL php scripts to have this first line. Of course, this would be out of the question for a web host, hosting many sites on many servers.
That's where phpsuexec comes in. It is nothing more than a module loaded into Apache that essentially prepends that line to PHP scripts so that you don't need to go and edit all of them. THIS IS THE MAGIC!.
Because PHPSUEXEC causes PHP to run as a binary now, and being suEXEC'd, the same rules apply as they do when you suEXEC any other cgi script. That is, the script must abide by the following rules:
1. User executing the wrapper must be a valid user on this system.
2. The command that the request wishes to execute must not contain a /.
3. The command being executed must reside under the user's web document root..
4. The current working directory must be a directory.
5. The current working directory must not be writable by group or other.
6. The command being executed cannot be a symbolic link.
7. The command being executed cannot be writable by group or other.
8. The command being executed cannot be a setuid or setgid program.
9. The target UID and GID must be a valid user and group on this system.
10. The target UID and GID to execute as, must match the UID and GID of the directory.
11. The target execution UID and GID must not be the privledged ID 0.
12. Group access list is set to NOGROUP and the command is executed.
One issue that our customers will have to contend with is php_value settings. Many customers "tweak" php settings in their site by using the .htaccess file located in their web directory. "php_value settings" in .htaccess files are only interpreted by the module version of PHP. The binary (cgi) version actually chokes on these and you get a Server 500 error. Thus, if you have added php_value settings to your .htaccess file, comment them out or remove them. Instead, you can use a file in your site called "php.ini" to create your value settings. php.ini will actually give you more control and more flexibility.
To sum up, PHP on our servers now use PHPSUEXEC.
1. PHPSUEXEC makes php run as a binary rather than a module. This gives us more security and helps us to track offenders (you would be suprised at how some customers abused our AUP before we added PHPSUEXEC!).
2. You will have more flexibility with tweaking how PHP behaves on your site by using php.ini in your web directory.
3. If you use mime types to make PHP parse as .html or .htm, you will need to use APACHE HANDLERS to do this instead. Login to your control panel, click on SERVERS and then click on APACHE HANDLERS.
4. There are certain restrictions on scripts that users must abide by. If your script stops working, read the 12 rules about PHPSUEXEC above.