Secure PHP Applications with SuExec - dummies

By Steve Suehring, Janet Valade

If your application runs on Apache (as more than half the websites on the Internet do), you may want to consider enabling SuExec in your Apache configuration. SuExec is a mechanism that is bundled with Apache that causes scripts to be run as the user that owns the script, rather than running them as the web server user.

In a non-SuExec environment, all scripts are run as the same user ID as the web server itself. Unfortunately, one vulnerable script can give a malicious user back-door access to the entire web server, including scripts running on other sites hosted on the same server.

SuExec attempts to mitigate this problem by restricting web applications to their own areas and running them under their owners’ user IDs, rather than under the web server’s user ID. For example, this script would run under the user ID of jsmith:


A malicious user could exploit this script, but he or she would have access only to files and programs that the jsmith user is allowed to use. Every other user on the server would be protected from jsmith’s insecure script.

Unfortunately, getting SuExec to work properly with virtual hosts, or multiple independent websites physically located on the same web server, can be tricky. SuExec is designed to run scripts that exist in the web server’s document root.

Most virtual hosts are set up in a way that gives each individual website its own document root, and each site’s document root isn’t located under the web server’s document root. To get around this restriction, the system administrator must add each virtual host’s document root to the web server’s document root variable in the Apache configuration file.

SuExec also requires that PHP scripts be run as Common Gateway Interface (CGI), which is slower than running PHP as a precompiled module under Apache. CGI was the first workable model for web applications, and it is still used for simple scripts. However, once you leave the realm of PHP scripting and start writing full-fledged applications, you’ll need the performance boost of precompiled PHP.

For fairly simple web servers, SuExec can keep one insecure application from trampling all over everything else. However, in a more complex environment with virtual servers, precompiled modules, and dozens or hundreds of users, you need a security model that is a bit more robust.