#9867 – PHP 5 Handler should be set to: DSO, suphp, CGI or None?

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Friday, 06 May 2011 12:42 CDT
Hi

I just bourght the Admin Tool since almost all of our websites has been hacked, and mostly I believe because of the 777 issue, So I am configuring a brand new server and my only question is, what is the best setup for about 30 joomla sites:

PHP 5 Handler should be set to: DSO, suphp, CGI or None?

and Apache suEXEC should be set to yes, I believe

Thanks in advance
iveth
Friday, 06 May 2011 19:15 CDT
I would use suPHP, unless you expect massive traffic (several hundreds of millions of pageviews per month) on the server. In that case use 644 permissions for files and 0755 for directories. Give the parent directory of your web root 0700 permissions. E.g. if your web root is /home/myuser/public_html, give 0700 permissions to /home/myuser and 0755 permissions to /home/myuser/public_html and its subdirectories. Why? Because the 0700 will "neuter" 0777 permissions, effectively making them equal to 0755 (that's a little known UNIX trick!).

DSO and CGI are like your old shared hosting platform, so you will suffer for having to set too wide permissions. None will just disable PHP which isn't really helpful in running a Joomla! site :)



Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Monday, 09 May 2011 08:25 CDT
Thanks a lot, and the Apache suEXEC should be set to on is that correct?
iveth
Monday, 09 May 2011 08:26 CDT
You're welcome! Yes, suPHP should be on, that's correct. Enabling suPHP is the safest best to having a secure web server environment.


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Monday, 09 May 2011 12:40 CDT
Nicholas

Ok, I have istalled the Admin tools pro, server all setup, I run the first fix permisssion a couble of times but some of the files are not changed to the right settings, some of the language files are still showing up in red and they are showing that is nobody, meaning I cant install any extensions... how do I set it so it will show the owner < > Joomla site?
iveth
Tuesday, 10 May 2011 06:08 CDT
Since you have just changed to suPHP, you will need to do some work over SSH to get everything working properly. The most important thing to know is your UNIX username and group name for your account. Let's say if it is foo (username) and bar (group name). Using SSH and logged in as root, go inside your web root and type this:
chown -Rf foo:bar *
find . -type d -exec chmod 0755 {} \;
find . -type f -exec chmod 0644 {} \;

These commands change the ownership of all of the files to belong to your account and fix the permissions to same settings. From that point you're ready and you will probably never have to worry about file permissions again!


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Tuesday, 10 May 2011 06:26 CDT
Nicholas thanks

ok, great, now my username of an account I will find in my Joomla back admin in control panel correct and it is the same I use for FTP (correct), but my Group name where do I find that?
iveth
Tuesday, 10 May 2011 06:35 CDT
The group name is the hardest thing to find. Usually it's "users", but you should better ask your host about it as it depends on the server setup. You may see its name or numeric ID (both work just fine with the commands above) if you use Admin Tools' permission configuration. The folder/file browser will show the user name and group name of the owner of each file in the user:group format.


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Tuesday, 10 May 2011 06:46 CDT
Nicholas

I got the SSl thing set up I am in root, ad ready with the command, but in my first try my account is margari1 (ftp user name) the only other name in my admin tools cpanel is nobody, please see attached image..is that my maybe non exsistant group name?
iveth
Tuesday, 10 May 2011 06:49 CDT
"nobody" is a valid user and group name which is commonly used with web-only user accounts. So, yes, use "nobody" as your group name.


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Tuesday, 10 May 2011 07:05 CDT
I enter the command:
chown -Rf margari1:nobody *find . -type d -exec chmod 0755 {} \;find . -type f -exec chmod 0644 {} \;

but i get this error: please see attachement..

iveth
Tuesday, 10 May 2011 07:06 CDT
attachment
iveth
Tuesday, 10 May 2011 07:14 CDT
just thought something worth a mention for the extra security conscious which works well for me:

1. change your ssh port from the default to something like 1587 as everyone know the default port 22 and will most likely be prone to annoying brute attempts

2. creat a suUser and MAKE sure you test logging in and etc otherwise you may quickly lock yourself out of your own server

3. Disable direct root access to ssh.

4. Setup ssh access only via pubkey authentication.

You can still get root ssh access only after you login with suUser and change to root which you need the extra password.
Some may consider the extra steps somewhat of a pita, but i think they are worth it.

If all this is chinese, its best you read about it as i for 1 think its pretty important as far as administering your own box goes.

This is pretty much the ultimate security as far as that goes.

Personally im a big fan of suphp and suexec, however not all are. Then again not all are fans of milk, bread and water either, lol.
slaes
Tuesday, 10 May 2011 07:21 CDT
Nicholas

What is wrong with my regex:
I enter the command:
chown -Rf margari1:nobody *find . -type d -exec chmod 0755 {} \;find . -type f -exec chmod 0644 {} \;

but i get this error: please see attachement..
iveth
Tuesday, 10 May 2011 07:51 CDT
Each line is a different command. Do not try to run them all in one line!


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Tuesday, 10 May 2011 11:12 CDT
I cant get it to work..

This is the most important: chown -Rf margari1:nobody *
(changing the ownership) admin toools can the rest.

but I cant chage the ownership using SSl, also some of my Joomla accounts show nobody:nobody what do I do here??

sorry about bothering you about this but all the rest is is ok now!!

iveth
Tuesday, 10 May 2011 15:37 CDT
You have to run this command as root. If you are not a root user you can not change the ownership of files and directories (makes sense, otherwise what's the point of permissions?). That's why I said that you have to type these commands as root :)


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Tuesday, 10 May 2011 16:06 CDT
Nic, on an earlier post you recommended changing the web root directory to 700 and it would "neuter" 0777 permissions, effectively making them equal to 0755.

I made a comment to my tech group about that and here was their reply:

On a cPanel server you don't want to mess with the permissions of the home directories or public_html or you will break things. If you don't want users to have to set permissions to 777 to get their scripts to work, use suPHP which allows PHP to run as the account owner and causes anything set over 755 to generate an error.
 
earthrat
Tuesday, 10 May 2011 17:28 CDT
And here is a reply from another so called tech that apparently thinks you are full of S*^t. Personally I will take your advice over any of these so called pros but I would love to hear your opinion on these comments.

Not to bash your guru, but I'm afraid this simply isn't true. Having a parent folder with permissions 0700 will NOT prevent anyone from making a change to a 0777 sub folder. Observe:
------------------
root@server [/home/user]# cd /home/user
root@server [/home/user]# ls -lhad public_html/
drwxr-x--- 6 user user 4.0K May 10 17:23 public_html// root@server [/home/user]# chmod 0700 public_html/ root@server [/home/user]# ls -lhad public_html/
drwx------ 6 user user 4.0K May 10 17:23 public_html// root@server [/home/user]# cd public_html/ root@server [/home/user/public_html]# mkdir test root@server [/home/user/public_html]# chown user.user test root@server [/home/user/public_html]# chmod 0777 test root@server [/home/user/public_html]# ls -lhad test/ drwxrwxrwx 2 user user 4.0K May 10 17:28 test// root@server [/home/user/public_html]# cd test root@server [/home/user/public_html/test]# su -s /bin/bash nobody bash-3.00$ ls -lha total 8.0K drwxrwxrwx 2 user user 4.0K May 10 17:28 .
drwx------ 7 user user 4.0K May 10 17:28 ..
bash-3.00$ echo "test" > test.txt
bash-3.00$ ls -lha
total 12K
drwxrwxrwx 2 user user 4.0K May 10 17:31 .
drwx------ 7 user user 4.0K May 10 17:28 ..
-rw-r--r-- 1 nobody nobody 5 May 10 17:31 test.txt
------------------

And regarding SuPHP and 0777 directories, in the default configuration, any PHP file will permissions 0777 (or in a directory with 0777) will throw an error. Static files may still be served correctly. The idea here is mainly to prevent the execution of PHP files could be modified by anyone who is not the account owner. Hope that clears things up a little.
 
earthrat
Tuesday, 10 May 2011 20:06 CDT
what nico is saying (re 0700 perm to the USER and 755 to public html) is entirely relevant and works. Its an old school unix trick which many wont know or talk about as their are easier methods for sites without millions of visits. I think your host/support people are confused and don't understand the point.

The below statement from your guy is correct. Suphp pretty much does away with permissions issues and associates files to users only. If permissions are wrong, you will see a server 500 error. Try it yourself, set configuration.php to 777 and try load your site. Change it back, real quick, :)

""And regarding SuPHP and 0777 directories, in the default configuration, any PHP file will permissions 0777 (or in a directory with 0777) will throw an error. Static files may still be served correctly. The idea here is mainly to prevent the execution of PHP files could be modified by anyone who is not the account owner. Hope that clears things up a little. ""
slaes
Tuesday, 10 May 2011 22:05 CDT
Thanks Slaes,

I am absolutly NOT denouncing Nic or his word and in fact my mission is to impliment this on my Joomla server. I have several sites that are getting huge volumes of visits and a partner of mine is having issues with a few of his sites getting hacked. Of course I am convinced he brough his problems with him. This server gets pounded all the time by hackers that want in and I have not had one (knock on wood) site hacked yet.

I have spent a year getting my head around suPHP and not that I understand it completely I have implimented it and it is working just fine. The talk about sites with a large volume of hits though is making me wonder if it is time for a better solution?

My reason for bringing this up here is to see what Nic has to say and of course you have been an incredible resource that I have come to value as well...;)
 
earthrat
Tuesday, 10 May 2011 23:44 CDT
i know your position man, im very much the same as you. In that trying to learn as much as possible and be as thorough as you can. I makes all that extra effort very much worth while.

With your situtation, im sure nico will have some great suggestions for you as, personally 1 thing i really appreciate and value most of all is when people giving the advice are speaking from personal experience, not just from something the read or heard somewhere.

Naturally as with most things prevention is better than cure, you sound like you have it all pretty well down pat and are in the process of tweaking things up to suit your specifics.

just a side thought: provided that

a: your gettiing millions of hits p/m
b: your serving static content
c: your box has the processing power

it might be worth looking into mod_pagespeed.

i have seen it have great results on the above type setups, while i have also seen negative results when applied to the wrong environment.
slaes
Wednesday, 11 May 2011 00:38 CDT
Thanks bud, yes this truly is a dynamic process for sure. I have been tweaking my server settings for about 4 years now and although I think I have things well in hand. There is always that nagging feeling in the back of my mind that keeps me up at night wondering what I have missed or asking if the advice I got was from a reliable source. That is why I am haunting this forum more than any I have ever been on. Always on the look out for that one little bit of advice, code or tip that can give me better piece of mind.

I have powerhouse servers that never hit even 30% of their potential. I believe in conserving resources and never over taxing the hardware or software. Actually I have been working on some new ways to serve up the static content from Amazon S3 and it is so far proving to be a great asset. Not only for taking a large chunk of resource power off the servers but also in speeding up the websites. Here again it is a learning game but the payout is worth the pennies spent.
 
earthrat
Wednesday, 11 May 2011 00:46 CDT
very well said, this forum is brilliant for like minded people to share and bounce different ideas. Whenever we think we know it all, someone always comes up with something beneficial :) just the way it should be.
slaes
Wednesday, 11 May 2011 03:59 CDT
He he! I don't think that your server guy has that much experience working with *NIX systems (including Linux). The 0700 trick is a very old trick (it exists since the 70s!) but he doesn't get it. The whole idea is that if a file is owned by user A and has 0777 permissions, user B won't be able to write to it. This is a major step towards the security of a site in a shared host environment. cPanel readily sets the permissions of users' home directories to 0700 for this reason. Maybe you should talk your host into investing in Red Hat Certified Engineer training for his engineers. After all, cPanel runs on CentOS which is just a spin-off distro of Red Hat Enterprise Linux.

Regarding suPHP, their comments are spot on, but there's more to that. Since suPHP makes PHP run under the owner user and group of the entry point file (index.php), if all files and directories are owned by your account's user then everything is writable by PHP. This eliminates the need for insecure 0777 permissions. It pretty much means that everything in your account's directory is owned by your account's users and anyone else will be simply denied access. That's a huge feature and comes with the price of running PHP in CGI mode, so you can't use APC and will have a performance problem if serving several millions of pageviews per day.

The other thing you correctly spotted is that security is a process, not a task. You can never claim that you have achieved a "secure server configuration". There's always something more to do and it's generally something you are not aware of since the very beginning. I regularly overview the security of my servers and adjust it. I regularly do maintenance work, from permissions fixing to upgrading software to reviewing logs and adjusting .htaccess rules. It's a never ending process. Feedback from other people is of paramount importance to this process, as it helps you figure out blank spots in your security setup.


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.