cancel
Showing results for 
Search instead for 
Did you mean: 

[PAYH] PHP run as your own user, without safe mode, from httpdocs

Community Veteran
Posts: 767
Registered: 29-10-2008

[PAYH] PHP run as your own user, without safe mode, from httpdocs

Just to recap: on PAYH, PHP scripts in httpdocs are handled by the Apache-module version of PHP. In order to prevent cross-site-scripting attacks, mod_php5, which runs as the Apache user (www-data), has to run in "safe mode". This causes a whole heap of problems! If we could use the CGI version of PHP, this would run as our own user and can safely run without safe mode.
There are unsupported fixes that would allow us to do that on the current Plesk-8 PAYH servers, but Plusnet doesn't seem keen. Similarly, Plesk 9 will allow PHP to be handled by FastCGI, but Plusnet doesn't seem keen to upgrade soon, and haven't (yet?) offered to keep the ccgi servers running until they do.
As mentioned previously, PAYH does have a working version of php5-cgi and this can be used for executable scripts in the cgi-bin, with a shebang line. This makes converting scripts a right pain. If we could override the file handlers in .htaccess, we could use php5-cgi from httpdocs, but it seems we can't. There is, however, a way to recreate this behaviour:

This is my own method. It can probably be improved. It's primarily aimed at scripters, but it seems to work with Gallery2.
This method redirects requests for php files in httpdocs to a php5-cgi wrapper script in cgi-bin which inherits the apparent location and contents of the requested file.
The example I give works on a per-folder basis.
First, create a wrapper script:
phpwrapper.cgi

#!/opt/php52/bin/php5-cgi
<?php
$_ENV["SCRIPT_NAME"]=$_SERVER['PHP_SELF']=$_SERVER["SCRIPT_NAME"]=$_ENV["REDIRECT_URL"];
$_ENV["SCRIPT_FILENAME"]=$_SERVER["SCRIPT_FILENAME"]=$_SERVER["DOCUMENT_ROOT"].$_ENV["REDIRECT_URL"];
ereg('^(.*)/([^/]*\.php)$', $_ENV["REDIRECT_URL"], $wrap_url);
chdir('/var/www/vhosts/yourusername.plushost.co.uk/httpdocs/'.$wrap_url{1});
include $wrap_url{2};
?>

Substitute your user name for "yourusername", or your domain name for "yourusername.plushost.co.uk", to create a valid path. Put this script (phpwrapper.cgi), including the shebang line, in your cgi-bin folder and make it executable (755).
Then, add these lines to the end of the .htaccess file in your httpdocs folder (if you don't already have one, write one), replacing "yourfolder" with the name of the folder (within httpdocs) in which you want to use the CGI version of PHP. This will then work for all subfolders, so long as they don't contain .htaccess files that override the one in httpdocs.

rewriteEngine on
rewriteCond %{query_string} ^(.*)$
rewriteRule ^yourfolder.*/[^/]*\.php$ cgi-bin/phpwrapper.cgi?%1

If you want to use both mod_php5 and php5-cgi in the same folder, change "php" to "php5" - then all files with the php extension will still be handled by mod_php and all files with the php5 extension will be handled by the cgi wrapper.
If you want to use php5-cgi in more folders, just repeat the last two lines (the condition and the rule), replacing "yourfolder" with a different folder. Keep the "" each time because it only terminates when a match is made.
(NB, In this example, the request URI must contain the named folder.)
You still won't be able to install PHP apps that require safe-mode-off straight from the Plesk panel, because that will still see safe-mode-on for mod_php5.
edit: security update added 19/02/09
Gabe
19 REPLIES
gilbertG
Dabbler
Posts: 23
Registered: 16-01-2009

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Woohoo!!!
I have a working site - I had read the other post about using cgi php but hadn't clicked that you could wrap current php using it and redirect using .htaccess.
Thanks Gabe.
paulcobb
Grafter
Posts: 140
Registered: 30-07-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

@Gabe
Can you confirm what your take is on the implications for getting Gallery running on PAYH in light of what you say in this thread
Or is this just applicable to enable running your own custom PHP scripts.
TIA
Paul
Community Veteran
Posts: 767
Registered: 29-10-2008

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Hi Paul,
I think I've now got a working version of Gallery2 set up on PAYH, using the method above.
I followed the instructions at
http://codex.gallery2.org/Gallery2Tonguereinstaller
and selected the GD image lib in setup.
I'm hesitant to say it, but initial impressions are that it just works.  Smiley
I hope this is good news.
Gabe
paulcobb
Grafter
Posts: 140
Registered: 30-07-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Thanks Gabe,
I will have a try myself then and report back.
Paul
paulcobb
Grafter
Posts: 140
Registered: 30-07-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

So far so good - all seems ok with the installation process!
Had one hiccup thought - I enabled the 'URL Rewrite plugin, which then wrote to the .htaccess file in the gallery2 directory.
This screwed things up straight away!
Is there any way to allow this to work along with the content of the .htaccess in the httpdocs directory?
Community Veteran
Posts: 767
Registered: 29-10-2008

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Yes, that will override the redirect in httpdocs. I'm afraid it would have to be one or the other. The short-url redirect won't be compatible, in any case, because the request won't contain the specified folder or the information necessary for the wrapper script. I think it should be possible to format your own custom rules, but this would have to be done manually, not via the plugin.
When I installed, I deselected that plugin, suspecting it would cause trouble. I've not used Gallery before, so there may be other hiccups. I hope none too serious.
Gabe
paulcobb
Grafter
Posts: 140
Registered: 30-07-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

I thought that would probably be the case.
I'm currently setting up the Gallery install on the PAYH server, duplicating an install I have running elsewhere - to compare.
So far, so good :-)
Tony_W
Grafter
Posts: 745
Registered: 11-08-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Hi Gabe,
Would this method get over having to do a CHMOD 777 on folders as in this topic?
I tried the CHMOD and it does work, but I feel vulnerable as someone could delete or alter my scripts or data. It is for that reason I have not yet gone 'live' - apart from having to do loads of alterations for the php4 to php5 change.
Tony
Community Veteran
Posts: 767
Registered: 29-10-2008

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Hi Tony,
Yes.  Smiley
If files and folders are owned by your user and the script runs as your user it makes things a lot easier and safer.
Gabe
Tony_W
Grafter
Posts: 745
Registered: 11-08-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Thanks Gabe, I'll give it a test over the next couple of days.
Do you think that I will be able to leave the permissions the same as those currently on the ccgi server?
Tony
paulcobb
Grafter
Posts: 140
Registered: 30-07-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Gallery 2.3 up and running!
A few minor configuration issues to address but looking promising.
Community Veteran
Posts: 767
Registered: 29-10-2008

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Hi Paul,
Good! Please keep us all up to date on any glitches. I'm not familiar enough with Gallery to check more than the very basics.
I wonder if the method would work acceptably with Joomla - something else with which I'm not familiar, so can't really test.
Hi Tony,
Yes, if the ownerships are equivalent then the permissions will be.
One thing I should probably mention is that the CGI version of PHP won't read any php_flag settings in .htaccess files. Instead, using this method, we can set those values within the wrapper script, e.g.:

#!/opt/php52/bin/php5-cgi
<?php
ini_set('display_errors','0');
// etc.

Gabe
Tony_W
Grafter
Posts: 745
Registered: 11-08-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

Hi Gaby,
Can you please confirm that the line in phpwrapper.cgi :
chdir('/var/www/vhosts/location.plushost.co.uk/httpdocs/'.$wrap_d);

should be written as shown, rather than
chdir('/var/www/vhosts/myusername.plushost.co.uk/httpdocs/'.$wrap_d);

I am currently experiencing difficulty getting it to work - it's probably just me missing something somewhere.
Tony
paulcobb
Grafter
Posts: 140
Registered: 30-07-2007

Re: [PAYH] PHP run as your own user, without safe mode, from httpdocs

You are correct Tony, it shound be your user name that you use in the string.