CGI more secure than Apache Module
Posted: Thu Jan 19, 2006 9:48 am
Hi,
I'm doing work for a client and the client's host company runs PHP as a CGI on Linux.
I've never encountered this before (I've been working with PHP since 2001).
Here's their reasoning:
There are two ways you can choose to have your PHP executed at xxx.
The default for new customers is now PHP-CGI. This is by far the preferred
method. The benefits of running PHP-CGI are:
* It is more secure. The PHP runs as your user rather than dhapache.
That means you can put your database passwords in a file readable only by
you and your php scripts can still access it!
* It is more flexible. Because of security concerns when running PHP as
an Apache module (which means it runs as our dhapache user), we have
disabled a number of commands with the non-CGI PHP. This will cause
installation problems with certain popular PHP scripts (such as Gallery) if
you choose to run PHP not as a CGI!
* It's just as fast as running PHP as an Apache module, and we include
more default libraries.
There are a FEW VERY MINOR drawbacks to running PHP-CGI. They are:
* Custom 404 pages won't work for .php files with PHP-CGI. Or will they?
See n74's comment below!
* Variables in the URL which are not regular ?foo=bar variables won't
work without using mod_rewrite
(example.com/blah.php/username/info/variable).
* Custom php directives in .htaccess files (php_include_dir
/home/user;/home/user/example_dir) won't work.
* The $_SERVER['SCRIPT_NAME'] variable will return the php.cgi binary
rather than the name of your script
If one of those is a show-stopper for you, you can easily switch to running
PHP as an Apache module and not CGI, but be prepared for a bunch of
potential security and ease-of-use issues! If you don't know what any of
these drawbacks mean, you're fine just using the default setting of PHP-CGI
and not worrying about anything!
I don't buy this. I would think just the opposite would be true, that the Apache module would be faster, more flexible and more secure.
My client has offered to change this but I want to be able to give him some counter reasons.
Any experts care to shed some light on this???
Thanks!
I'm doing work for a client and the client's host company runs PHP as a CGI on Linux.
I've never encountered this before (I've been working with PHP since 2001).
Here's their reasoning:
There are two ways you can choose to have your PHP executed at xxx.
The default for new customers is now PHP-CGI. This is by far the preferred
method. The benefits of running PHP-CGI are:
* It is more secure. The PHP runs as your user rather than dhapache.
That means you can put your database passwords in a file readable only by
you and your php scripts can still access it!
* It is more flexible. Because of security concerns when running PHP as
an Apache module (which means it runs as our dhapache user), we have
disabled a number of commands with the non-CGI PHP. This will cause
installation problems with certain popular PHP scripts (such as Gallery) if
you choose to run PHP not as a CGI!
* It's just as fast as running PHP as an Apache module, and we include
more default libraries.
There are a FEW VERY MINOR drawbacks to running PHP-CGI. They are:
* Custom 404 pages won't work for .php files with PHP-CGI. Or will they?
See n74's comment below!
* Variables in the URL which are not regular ?foo=bar variables won't
work without using mod_rewrite
(example.com/blah.php/username/info/variable).
* Custom php directives in .htaccess files (php_include_dir
/home/user;/home/user/example_dir) won't work.
* The $_SERVER['SCRIPT_NAME'] variable will return the php.cgi binary
rather than the name of your script
If one of those is a show-stopper for you, you can easily switch to running
PHP as an Apache module and not CGI, but be prepared for a bunch of
potential security and ease-of-use issues! If you don't know what any of
these drawbacks mean, you're fine just using the default setting of PHP-CGI
and not worrying about anything!
I don't buy this. I would think just the opposite would be true, that the Apache module would be faster, more flexible and more secure.
My client has offered to change this but I want to be able to give him some counter reasons.
Any experts care to shed some light on this???
Thanks!