What is suPHP?
According to the developer, suPHP is “is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.”
In simpler terms, suPHP is a security tool that creates a safe environment for multiple users to run PHP files in a shared server environment.
suPHP was started as a personal project but was quickly released by the developer as an open-source utility to provide added security for PHP parsing on shared servers. It was adopted by many leading hosting providers. In May of 2013, just days after releasing the most recent version of suPHP, the developer announced that formal support and development for suPHP was ending, and while many hosting providers still use suPHP many others have moved on to other security solutions with current and ongoing support for PHP processing.
What does suPHP do?
suPHP changes the way PHP files are parsed and executed by server running Apache HTTP Server. PHP:Hypertext Preprocessor language is a server-side scripting language used to generate HTML documents using information pulled from a database. Website visitors never directly interact with PHP files. Instead, when a PHP file is requested by a browser (for example: index.php for the homepage of a typical Wordpress installation) the following scenario plays out:
- First, the browser sends the request to the server.
- If the requested file was an HTML file instead of a PHP file the server would just shoot it straight back to the browser. However, the server knows the requested file is a .php file and sends it to the PHP processor.
- The server’s PHP processor parses the script, pulls content out of the appropriate database, and generates HTML.
- The HTML is what the server sends back to the browser and what the browser displays to the website visitor.
So how does suPHP affect this process? suPHP affects this process in two ways:
- By default, Apache web server will process PHP files using the default server user. So all PHP files on a shared server end up run by the same anonymous server user. suPHP doesn’t allow this, but instead runs PHP and executes the file as the owner of the file.
- suPHP won’t process a file with permissions set to loosely. This forces the file owner to keep file permissions set to a minimum standard.
Both of these requirements imposed by an suPHP enabled server are critical when the web server is a shared server. Without suPHP or some other utility requiring the server to run PHP scripts as the owner all PHP scripts will be run as the default user: “nobody”, i.e. anonymously. This is a spammers paradise since they can run spam scripts anonymously on a shared server that allows PHP to run as “nobody”.
Without suPHP or some other utility in place requiring minimum permissions levels account holders might unknowingly set their permissions so loosely that anyone with access to the files can edit them. In a shared server environment the risk of someone gaining unauthorized access to files is greater.
In short, suPHP requires Apache web server to run PHP as the owner of the file that’s being parsed, and requires that file permissions be kept to a certain minimum level.
What does suPHP cost?
suPHP is a free utility that is installed and configured on a web server. If you’re looking for hosting you won’t need to worry about paying for or installing suPHP. That will be the responsibility of your hosting provider. However, it is a good idea to be informed about security issues.
What are some alternatives to suPHP?
Since ongoing support and development of suPHP has stalled many hosting providers have moved on to other solutions. Other popular solutions that use a similar approach to running PHP include:
- mod_ruid2: An open-source Apache module strictly for Linux servers.
- mpm-itk: A free patch (not a module) for the Apache web server.
- PHP-FPM: A PHP process manager that has been added to the PHP core, and is therefore now a standard option within PHP.
- PHPsuExec: An Apache module that provides the facility to run scripts as the owner, much the same as suPHP
All of these solutions take a slightly different approach to the problem of securing how Apache web servers handling PHP processing, and perform slightly differently. Each may be a better choice in a unique situation, but they all will provide comparable security for most websites. Debating the nuanced differences between these solutions is something best left to server configuration professionals.
Question & Answers
What minimum file permissions does suPHP impose?
The broadest permissions possible are denoted as 0777. A file with that level of permissions can be read, written (edited), or executed (run) by anyone. suPHP won’t allow a file with that level of permissions to run and will instead display an error message if one is sent to the server for parsing. In order to operate properly permissions for directories (folders) need to be set to 0755 or 0750, and permissions for files need to be set to 0644 or 0640.
Why are suPHP and similar Apache modules and patches uniquely intended for use with shared servers?
suPHP and other similar solutions are intended to effectively “sandbox” the way that the server runs PHP so that the activity of each owner on the server is handled separately. On a dedicated server this isn’t necessary. suPHP and similar options will slow down PHP processing, so if you’re in a dedicated server environment it’s best to bypass what would be an unnecessary layer of protection in that case.
What is Apache HTTP Server?
Apache HTTP Server (more commonly called simply Apache) is the world’s most popular web server software. Apache is the software on the server that handles all HTTP activity. PHP is an available module for Apache that enables a web server to interpret PHP files. So, among many other things, Apache is the software on the server that does the work of parsing PHP files and compiling the resulting HTML.