What are the differences between mod_php and cgi and suphp


#1
  1. What are the reasons of low security of mod_php?

  2. Is there any security problem in dedicated servers in which there exist only one user?

  3. How does mod_php cause security problems in shared servers?

  4. Is it right?

When cgi is used, web server delivers the requested file to cgi and cgi delivers the file to the PHP interpreter.


5. Why does cgi have better security than mod_php? Is this matter important in the dedicated server? 6. Su_php runs script under the user, what benefit can it have su_php with mod_php in a dedicated server with one user?
I have studied many articles and responses, but all of them have short answers and have not stated any details.:expressionless:

#2

I can’t go too deep into details, but would like to simply point out something :slight_smile: .

Mod_php runs your scripts as the webserver. This means whatever the webserver can access, your .php script can access; if someone manages to exploit your website (for example, a file upload) and get their own .php script in your site, they can wreak havoc.

Meanwhile, SuPHP executes your scripts as the user defined in the virtual host. This restricts all filesystem access to them.

In a dedicated environment, mod_php is fine. It’s only in shared hosting that mod_php becomes a problem; users can programatically access other user’s code, or even overwrite other websites on the system!

That being said, I prefer suphp on my dedicated servers, for the simple reason that it’s easy to set up, and it allows my scripts to write files to my website without having to chmod directories.

A common recommendation over mod_php is FastCGI which can accomplish the same thing as SuPHP and is generally a bit more efficient, but is a tad more involved in terms of configuration.

FastCGI also has the benefit of letting you run multiple PHP versions on the same server, and allowing you to choose a PHP version per-website (but this takes a decent amount of work to set up).

So, mod_php, suphp, and cgi all are not necessarily insecure, they simply execute php scripts differently.