An informing and fun read about phpsuexec

**Kayla** · March 23rd, 2006, 7:46 PM

http://corz.org/devblog/2006-Q1/phpsuexec

I recommend everyone to read this, it's very good! Big ups to Cor.

Quote:

The first thing I noticed is that because my session files now live inside my user space, as opposed to the system /tmp folder, they are exempt from the server's garbage collection process. Think about it.

This has been a continual nuisance for years, at every web hosts I've been with. Now, if I specify that a session should last twenty four hours, it does exactly that! As opposed to fifteen minutes or thereabouts, as before. This alone has made the switch to phpsuexec worthwhile.

It's tempting to think that this whole phpsuexec business is some Gestapo effort by your host to clamp down on "bad" users, it's not. It's simply a means to managing better, more robust web servers. If I have some script that is out of control and eating server resources, I WANT TO KNOW ABOUT IT! With php running as an Apache module, there is simply no way to do this.

More importantly, if some other website on my shared server has a script that is out of control, I WANT IT FIXED! There's no reason why a hundred web sites should have to suffer for one user's wonky code. In our case, it turns out that one of the hosts' server tools was eating up most of the extra resources, and this change has enabled them to locate and crucially, FIX the source of the trouble. There were a couple of users with dodgy scripts too, by the way.

There are other advantages, too. Mail now comes from my user account as opposed to "nobody@..", which is nice, and this fine-grained control over php directives that couldn't previously be manipulated has opened up a whole lot of possibilities.

**Kickersny.com** · March 24th, 2006, 9:46 AM

That email part is complete rubbish. One line of headers will change where the email comes from. Hell, you could make it come from billgates@microsoft.com; it's not some big secret.

**mr_fern** · March 24th, 2006, 2:28 PM

No it's not kickers. That's only what the recipient of the e-mail would see, and even they still get the original sender in the full headers.

Exim stats will tell you who the relayer is, which in the case of mod_php, is always "nobody@{server_name}". With phpsuexec, the relayer will be "{account_name}@{server_name}"

Here's an example of finding out the real sender:

Here's the headers from a Surmunity E-mail. I removed most of it that wasn't important to the point.

Quote:

X-Originating-IP: [72.29.64.58]
Return-Path: <nobody@mirror.dizinc.com>
Authentication-Results: mta102.mail.re2.yahoo.com
from=surmunity.com; domainkeys=neutral (no sig)
Received: from 72.29.64.58 (EHLO mirror.dizinc.com) (72.29.64.58)
by mta102.mail.re2.yahoo.com with SMTP; Fri, 24 Mar 2006 00:42:20 -0800
Received: from nobody by mirror.dizinc.com with local (Exim 4.52)
id 1FMhsB-0005jF-0N
for nferno69ny@yahoo.com; Fri, 24 Mar 2006 03:42:19 -0500
To: nferno69ny@yahoo.com
Subject: New Private Message at Surpass Forums
From: "Surpass Forums" <hello@surmunity.com>

Return path will now be the username instead of nobody. And mirror.dizinc.com would receive it from username instead of nobody.

Even though it says From hello@surmunity.com, it's still sent by nobody@mirror.dizinc.com

**Kayla** · March 24th, 2006, 4:43 PM

Quote:

Originally Posted by Kickersny.com

That email part is complete rubbish. One line of headers will change where the email comes from. Hell, you could make it come from billgates@microsoft.com; it's not some big secret.

Gosh Kicks, what's crawled up your knickers?

**FredFredrickson** · August 5th, 2006, 9:56 PM

phpsuexec also allows php to run under YOUR username (that is, the username that you login to FTP with). This means, if your php script happens to create any files, or- upload any files, say pictures, or text files, you don't have to make them world writable, and thus makes it more secure. I have a flat file website, which means if I want it dynamic, I need every bit of my site world writable. every so often, someone on the server would have a big gaping security hole, and it would be taken advantage of. The result? all my world writable files get this nice little porn link in them. Grand!

IT'S THE END OF nobody/99 and the beginning of revolution!

March 24th, 2006, 9:46 AM	#2 (permalink)
Kickersny.com Surpass Fan Super #1 Joined in Aug 2004 Hosted on SH58 1,683 posts Gave thanks: 6 Thanked 5 times	That email part is complete rubbish. One line of headers will change where the email comes from. Hell, you could make it come from billgates@microsoft.com; it's not some big secret. __________________ - Evan Charlton \| [site] \| Server - SH58

August 5th, 2006, 9:56 PM	#5 (permalink)
FredFredrickson Senior Member Super #1 Joined in Nov 2003 Lives in New Hampshire 1,121 posts Gave thanks: 3 Thanked 20 times Blog Entries: 8	phpsuexec also allows php to run under YOUR username (that is, the username that you login to FTP with). This means, if your php script happens to create any files, or- upload any files, say pictures, or text files, you don't have to make them world writable, and thus makes it more secure. I have a flat file website, which means if I want it dynamic, I need every bit of my site world writable. every so often, someone on the server would have a big gaping security hole, and it would be taken advantage of. The result? all my world writable files get this nice little porn link in them. Grand! IT'S THE END OF nobody/99 and the beginning of revolution! __________________ The Coding Blog - Follow along as we discover and discuss everything it takes to code an entire website, start to finish! [Latest Entry: 4/4/08 - Starting a Website]

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)