[BlueOnyx:08716] Re: Question about suphp
Christoph Schneeberger
cschnee at box.telemedia.ch
Mon Oct 3 16:05:45 -05 2011
Hi Richard,
Richard Morgan wrote:
> I have a question about suphp... very basic, but maybe I've missed
> something and need to fill in a gap in my knowledge.
>
> What is the purpose of suphp? What problems do people get that this
> fixes and when is it appropriate to enable this feature? As I see it,
> it's super-user php; isn't that a bit risky?
>
In contrary, the purpose of suphp is to run scripts with the user
privileges of the resp. site-owner and not with the privileges of the
webserver as with most php setups.
Imagine you have 2 sites, both have a config file that a php script
needs to write to. If both sites run their php with webserver
privileges, both sites could alter the others sites config files just by
knowing the path to the file in question. Suphp in turn makes sure
scripts run only as the site-owner and also that only files owned by
this owner can be written to. This also makes sure that the site running
as webserver can not alter the config file of the site running with
suphp as those files do not belong the webserver but to the siteowner of
the other site.
This is just one example why suphp is a very nice security addition, but
you should get the idea and google certainly will do the rest ;)
So basically suphp enhances your overall webserver security tremendously
by mitigating some of the most used attack vectors. On the other hand it
can be pretty difficult to get larger php-application to run with suphp.
Cheers,
Christoph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20111003/37f352e1/attachment.html>
More information about the Blueonyx
mailing list