mod_suphp virtualmin feature request

Hello,

Please add mod_suphp support for virtualmin. I think it's very simple as the suphp module is provided by most linux dists, Very similar configuration to Suexec, Easily configurable, ...

http://www.akamaras.com/linux/installing-suphp-on-virtualmin/

I prefer mod_suphp for its security :

  • It's default execution mod prefered by cpanel, directadmin, ...

  • It checks each script for permission, owner and some other stuffs before running the script

  • Low memory consumption

  • Server managers are used to mod_suphp as its the default execution type on most control panels. I myself just prefer the mod_suphp as the first choice in a shared hosting server.

  • CGI Can be completely disabled on virtual servers without missing the owner execution of php scripts using mod_suphp . ( some servers just host php sites and doesn't need the cgi module at all ) Thanks

Status: 
Active

Comments

Howdy -- thanks for your comments!

It seems that what Virtualmin uses, suexec, and the suphp module you mentioned, provide similar functionality.

However, suexec works for all code that might be executed, whereas suphp only works for PHP code.

Also, suphp hasn't had a new release in over 3 years, where suexec is actively maintained, and is distributed with Apache.

Suexec is also small, there isn't a large memory overhead for using it.

With all that in mind, I suspect we're not going to be offering support for suphp anytime soon... but are there any large benefits it provides over suexec that we'e overlooking?

Mostafa's picture
Submitted by Mostafa on Wed, 08/01/2012 - 15:22

The most recent version of suphp is related to 3 years ago, It might be duo to its stability. I've not seen any problems since I'm working with that.

I've seen sites have been hacked on the server running mod fcgid, cgi. See this security hole :

If a user make a chmod 777 for a folder, then other users on the server are able to upload files into that folder. ( some stupid php scripts suggest to the non-professional user to use chmod 777 for some folders, as tmp, ... . For example as I remember old whmcs versions persist on chmod 777 of configuration.php !! ) . Now a bad user on the server will upload a shell into that folder and run the shell and the user's account get hacked simply, all of the hacked user websites are reported to zone-h.org by the hacker !

fcgi and cgi are vulnerable to this.

But now what about mod suphp ?

It doesn't allow any chmod greater than 755 to be executed, only execute the scripts owned by the user, ... many extra security matters which I don't know them even.

Also this is an answer to disabling cgi on the server while keep running of php scripts as their owner ! https://www.virtualmin.com/node/22946

Its unlikely we are going to support mod_suphp any time soon, as each PHP execution mode adds significant complexity and implementation overhead to Virtualmin.

Also, I think that the best solution for security issues like this is to fix broken apps that allow uploading of un-trusted files. Fixes on the PHP side just paper over the problem, and may not fix all possible exploits.