suPHP vs. mod_php – When is suPHP superior?

Wednesday, June 18th, 2008 11:31AM UTC

A long time customer of ours asked about another shared hosting provider’s PHP setup. They need to write files to the file system using PHP. He was having issues with creating files and folders through PHP. This provider uses mod_php, instead of our setup on HostASite.com that is suPHP based. To get around the issue their tech support recommend setting the folder to use permission 777 (writeable by ANYONE).

Using 777 permissions on a folder means ANYONE on that server can write to it. Hackers LOVE this type of setup. In addition, with mod_php you must have at least 644 perms on PHP files, which ALSO means your files can be read by anyone. This means your MySQL password, key to your merchant account, etc., can be read by any customer on that shared server! If you ask me, not a secure solution.

We use suPHP instead of the default apache/mod_php for shared hosting.

SuPHP
Pros:

  • PHP runs as your user/group
  • PHP files can have perms of 640 (hiding things like passwords from other accounts)
  • Files/folders written by PHP are written as user/group (no apache or other global user)
  • Custom php.ini file per site (can add/remove security options)
  • Can run php4 and php5 at the same time (on even the same site!)

Cons:

  • Slower
  • many PHP .htaccess options do not work (since you can have your own php.ini file this make this point moot)

apache/mod_php
Pros:

  • Faster (about 25-30%)

Cons

  • PHP safe mode isn’t safe
  • files written by PHP are saved as the apache process (usually apache/apache user/group)

For our small business web hosting customers it’s a no brainer to use suPHP instead of mod_php, even if we take a performance hit. PHP is the #1 method hackers gain access to customer accounts. So once an account is hacked on a shared server, they can do much more damage with a mod_php setup. SuPHP accounts are much more sandboxed. We’ve had many hacked accounts via suPHP, and none of them have affected our other customers. In the future are going to replace suPHP and use LiteSpeed’s web server instead. It offers the same performance as mod_php and yet the same security as suPHP.

Our Managed VPS web hosting we give the customer the option to select which PHP setup they want.

Comments

  1. On June 18th, 2008 2:52+00:00 UTC Rob M says:

    I use suPHP in my dev environment with both php4 and php5 just so I can imitate what is used by hostasite/10for10. Having a custom php.ini is actually a really nice feature since you can do some things that you can’t do in .htaccess. But LiteSpeed seems like the best of both worlds.


Create A Comment

Comments must be relevant to the posting.

(not dsplayed publicly)