Yes, it's somewhat important, even for one user.
I personally (and professionally) don't like the idea of scripts being
run as the webserver (nobody/nobody, httpd/httpd, www/www, etc.). A
user's PHP script is going to have credentials to anything owned by or
part of group www/www, for example. On many systems, that includes
configuration files, log files, miscellaneous directories possibly used
for other users' content, and possibly some security-related files.
That not only means the account has the abilty to read the files, but
also the ability to write them (regardless of permissions; using chmod
is not hard).
A couple of examples:
* phpmyadmin has a file called config.php which can contain passwords
and other such information. It's only readable by the webserver.
Without suphp, if a user can find the location of that file (fairly
easy to do), they'll be able to read that file, and access otherwise
sensitive information, such as access credentials to a MySQL server.
* A user runs some idiotic script he found on a website somewhere, which
has a specially-crafted hole in it executing rm -fr /. He runs the
script, which runs as www/www. Oh look, a bunch of your
webserver-owned files just disappeared from your filesystem. Hope
you've got backups. Think of other commands than just rm. Think
of the effects of a recursive chmod (perms 4777), or maybe
find / -type f -exec cp /dev/null {} \;.
The point here is this: if you trust tom/tomgroup to the point where you
know he won't be malicious or run scripts he finds online blindly, then
no, suphp doesn't offer any "major" advantages.
It's your server, thus it's your decision either way.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
On Thu, Jun 14, 2007 at 02:10:52AM +0200, Simón wrote:
> Hi there,
>
> I don´t understand in detail what´s the benefit of suphp. I will put the
> conf of my servers as example.
>
> 6 virtual hosts under one unique user (tom, tomgroup)
>
> I think that the benefit of suphp, is that the php scripts will be run
> as the user "tom" instead the apache user, but is this really important
> on a setup like that with only one user?
>
> I hope someone could open my eyes ;). Kind regards, Simon.
>
>
>
> _______________________________________________
> suPHP mailing list
> [email protected]
> http://lists.marsching.biz/mailman/listinfo/suphp
_______________________________________________
suPHP mailing list
[email protected]
http://lists.marsching.biz/mailman/listinfo/suphp
