Apache User / Directory Rights 777

[MaximilianP]

Hello everyone,

i am pretty new to Plesk on Linux so i have a in my eyes quite complicated issue which i don't know how to solve:

I installed Plesk Panel on Debian which is running quite good so far.
The only Problem is ttah no matter what application i install on my webspaces
(Redaxo CMS, phpBB and so on) i alsways have to chmod all directorys an files to 777. Which is security wyse for sure not the best idea.

A friend of mine said: "The user running the apache service at least has to be in the same group as the ftp user so not every directory has to be put to 777"

But i have no idea what and how to to it. So any help would be appreciated!

Regards

Max

 

[lvalics]

You can install mod_suphp and then you do not have this issue.
Check the tutorial on my signature.

 

[Marco Cristofanilli]

You can change php handler from panel and use fastcgi

 

[MaximilianP]

How?

Thanks for this hintz. Can you give me a short info how this is done?
Does it have any disadvantages?

Regards

Max

 

[EduardH]

Hello Maximilian,

Both of previous replies suggest to run PHP as domain system user, so PHP would access files and directories created by FTP w/o problems, it would be possible to forget about insecure 777 permissions etc.

But if PHP scripts are run as domain user, scripts (in default Plesk settings) can modify any file in web directory. So if a PHP script is developed insecurely, in can modify web directories on the same domain. If safe_mode is on in PHP configuration, it's possible to restrict the directories where PHP scripts can create/modify the data, so this issue can be fixed even on cites containing bad PHP code.

I would recommend Apache modules mpm-itk or mod_ruid2 with standard PHP module. These two technologies can save memory and CPU resources comparing with suPHP or FastCGI.

You can see more details at http://forum.parallels.com/showthread.php?t=106297 .

Let me know if you have any questions.

 

[lvalics]

Regarding mpm-itk or mod_ruid2, do you have a test, benchmark made by someone where we can see it is faster?
To take a decision to move from one solution to an another require this kind of test.

 

[EduardH]

Hello lvalics,

It's nice to see your reply here.
I wish your company to develop more add-ons for Plesk!

Concerning mod_itk and mod_ruid2.
I liked suPHP in the past, but I was really disappointed when I watched performance degradation and increasing server load after replacing mod_php with suPHP on all domains on Plesk servers. My measures showed that simple PHP code containing "<? phpinfo() ?>" was taken by 6 times more time with suPHP than with mod_php. Probably simpler code like '<? echo 2+2,"\n" ?>' with minimal output would indicate even more difference.

I have found some results using Google:

http://blog.stuartherbert.com/php/2008/01/18/using-suphp-to-secure-a-shared-server/

• suphp: average of 164.677 seconds
• mod_php: average of 6.422 seconds

So it's enough to compare PHP module with mpm-itk and mod_ruid2 to have approximate estimation or the difference.

My current test on Plesk server:

* The following code was placed to /var/www/vhosts/example.com/httpdocs/id.php :
<?php $a = posix_getpwuid(posix_geteuid()); echo $a['name'], "\n"; ?>
This code just prints system user name or a process running PHP code.

* id.php was called by "curl" web client 1000 times in command line on Plesk server:
# time for i in `seq 1 1000`; do curl -s http://vanon.com/id.php >/dev/null; done

The result:

mpm-itk: 24s
mod_ruid2: 13s
mod_php: 13s

Best regards.

 

[lvalics]

Thank you for your reply. We will stay and develop new things for PLESK.

Regarding your article pointed out, I am in a little doubt it is real

* suphp: average of 164.677 seconds
* mod_php: average of 6.422 seconds

See the difference, is not logic to be such a high difference.
This mean that we have a server right now, running over 300 domains, a lot of Joomla, Wordpress etc and all with mod_suphp, so now the server should work almost 30 times slower? Hmm, not even noticed any difference in running.

I have reviewed the 2 mod mentioned and indeed, could be an alternative, is not ignorable anything what is on the market, especially that suphp wasn't updated since 2009.

mpm-itk - same, latest update 2009, no documentation
mod_ruid2 - 2010, great, but same lack of documentation

Even if we will review and try it on a test server, it is hard to tell if we will suggest now to replace suphp with ruid2 (which I prefer more then mpm-itk).
It is my opinion, before doing too many tests, just to read about them.

 

[EduardH]

> Regarding your article pointed out, I am in a little doubt it is real
Yes, it looks unreal. I just hoped to see your opinion. I believe that

T (mod_suphp) = 6 * T(mod_php)

where T(x) is execution time of small PHP script with Apache module x. For large PHP scripts operating with databases the difference can be lower.

Concerning a documentation from the authors of modules mpm-itk and mod_riod2:

mpm-itk: http://mpm-itk.sesse.net/
mod_ruid2: download from http://sourceforge.net/projects/mod-ruid/files/, extract and read README

These descriptions are seemed to be very well for developers and system administrators. Also install instructions will be accumulated in our "Run PHP as User" documentation.

Thanks.