[Typo3-dev] changes required for PHPSuexec to work in Typo3

Tue Jun 15 13:36:36 CEST 2004

Michael Stucki wrote:
> Hi Martin-Pierre,
> 
> thanks for your mail. Since I couldn't find much useful information about
> phpsuexec, I'd like to ask you a few questions.
> 

Sure, no problem !

> First, one general thing: What is the home of phpsuexec? Where can I
> download it? Is it part of the PHP distribution?
> 

http://www.localhost.nl/patches/

But it very recently became unmaintainted. Suexec will replace it on the 
long term.

> Furthermore, I wonder why one should use this tool which seems to bring
> nothing but limitations in place of safe_mode and open_basedir. What's
> wrong with these settings?
> 
> I don't get it, please enlighten me!
> 

What is wrong is that PHP, even with safe_mode and open_basedir still 
run under the apache username.

By using Phpsuexec, you run under the real username.

As such, the proper access rights are respected.

safe_mode is not really safe alone : it mostly removes a bunch of 
functions that are unsafe in SOME situations.

open_basedir simply prevent you from accessing files outside your root.

But, what if you need to access files outside your root ? What if your 
need to access the functions that are disabled by safe_mode ?

But more importantly, as a webhost, phpsuexec saved my neck several times.

When a PHP script is badly written and slows down a server, I know 
instantly who the user is, instead of trying to find him.

When PHP uses the mail function, the proper user is set, so bounces go 
to the proper place, but more importantly, when a user spams using PHP, 
I KNOW from whom the spam comes from.

> 
> Yeah, and that's why I don't like it. What's the idea behind this "broken
> feature"?

I don't really the real reason... sorry about that.

But it never caused me any problem : 99% of my clients don't know what a 
simlink is anyway !

> 
> 
>>As such, I simply modified the =='cgi' with =='xcgi' in all the
>>occurances, and it works well.
> 
> 
> If this helps, we might think about changing the string comparisons to
> something like "stristr('cgi', $string);".
> 

No, you don't understand, I do not compared to xcgi : phpsuexec reports 
CGI but doesn't act like cgi !

With phpsuexec, the comparison must return false !

> 
>>But unfortunatly, that also means that cgi installations no longer work.
> 
> 
> See above, shouldn't be a problem then.

Read my reply !

>>In my case, I search for all instances of 'cgi' and I replace them with
>>'xcgi' but another method is needed for the sources to work both on
>>PHPSuexec and cgi systems.
> 

> 
>>$TYPO3_CONF_VARS["BE"]["fileCreateMask"]=0744;
>>$TYPO3_CONF_VARS["BE"]["folderCreateMask"]=0755;
> 
> 
> 744 never makes sense, does it?
> 

Like I said, you CAN use 700 !