Transition to suPHP (Advance Notice/Schedule)
NB: Also see the initial advance notice announcement on this subject.
This announcement is related to our upcoming work on all servers to enable suPHP. suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter. In more general terms, enabling suphp will add an additional layer of security and remove issues related to file ownership permissions when using popular PHP based applications such as WordPress and Joomla.
The schedule for carrying out the change to servers is as follows:
US BAKER - April 26 2010 @ 12:00 AM EST [ now completed ]
UK BELLAMY – April 26 2010 – 10:00 PM GMT [ now completed ]
UK RICHARDS - April 30 2010 – 10:00 PM GMT [ now completed ]
Click “read more” below for the full details of this important announcment…
This is quite a large scale change but we’d first like to reassure all clients that in the vast majority of cases there will be no difference and the work will be un-noticable. In fact, we have been running suPHP on a test server servers for some months now with ZERO problems or issues and that test upgrade went very well. This announcement is aimed at highlighting some of the slight differences when PHP is running in a suphp environment.
1. Permissions (WILL BE HANDLED BY US)
With suphp it will not be possible to make insecure permission settings to scripts such as 777 world writable. Any PHP files should be set to 644 (or less) with directories set to 755 (or less). This is a much more secure hosting environment and any changes to permissions or ownership required on existing scripts will be handled by us as part of the work.
Any files currently set to 777, 757, etc. will be changed to 755 as a safe global change, you can change them to 644 from there, if you wish. This only changes files and directories that are currently set to group or world write permissions and ignores any other files. This changes more than php files, to be the most safe and consistent change, in case you have any CGI files or other that are too open (and insecure) with its permission. Finally, any files that need to be set to “read only” should be set to 444 or 400.
2. .htaccess php rules (WILL BE HANDLED BY US)
At the moment it is possible to change some php options by using a line in a .htaccess file such as “php_value option x” or “php_flag option x”. This will no longer be possible after the suphp install and any php options will need to be configured in a file called php.ini using the syntax ‘option_name = “value”‘. Once again, we will take care of converting lines of .htaccess files to php.ini files at the time of the work.
3. SetHandler rules
Any clients who have setup SetHander rules will need to change these as follows. Any instances of:
ForceType application/x-httpd-php
or
SetHandler application/x-httpd-php
Need to be sure they use -php5 instead of -php:
ForceType application/x-httpd-php5
and
SetHandler application/x-httpd-php5
4. Account quotas
To date, any files created using a PHP script have been under Apache ownership and not counted towards the user account quota. This will change and all quotas will be much more accurate after the work which is a major benefit for account accuracy and when clients with to modify files created using scripts via FTP which will be possible without issue with suphp.
5. Joomla
For any clients using Joomla, it is important to have the $live_site variable configured with the domain of the account. Most installs should already have this set but it’s worth taking a few seconds to check before this work is done.
If anyone has any questions please feel free to contact us via our helpdesk.