Stack Overflow
Stack Overflow

Questions tagged [mod-php]

PHP installed as an Apache module

There are (at least) two ways of running PHP, when working with Apache :

  • Using CGI : a PHP process is launched by Apache, and it is that PHP process that interprets PHP code -- not Apache itself
  • Using PHP as an Apache module (called mod_php) : the PHP interpreter is then kind of "embedded" inside the Apache process : there is no external PHP process -- which means that Apache and PHP can communicate better.

When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions.

A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilities in some other way.

Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals.

There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files.

70 questions
4
votes
5 answers

How to configure PHP under Apache web server in GENTOO Operating System?

is there anyone who knows how to install / configure php under apache? I have emerge php apache both. I wanted to use mod_php for apache in GENTOO OS. php temp.php command line runs fine, but http://localhost/temp.php is not executing on web server…
shahjapan
  • 13,637
  • 22
  • 74
  • 104
3
votes
1 answer

The reason why mod_php is less efficient than fastcgi php(php-fpm)

I see most answers believe mod_php is less efficient because memory footprint will be higher due to serving static files,like this one. But I have a different opinion as follows: As a matter of fact,code section are shared among fork()ed…
Je Rog
  • 5,675
  • 8
  • 39
  • 47
3
votes
1 answer

Detect support for php_value / php_flag in .htaccess to suppress errors - PHP CGI mode - mod_php

I use php_value and php_flag rules in .htaccess such as: php_value upload_max_filesize 100M But this causes an error when the server is running in CGI mode instead of Apache mode, and instead I have to use php.ini rules such as: upload_max_filesize…
Jamie G
  • 1,653
  • 3
  • 20
  • 43
3
votes
0 answers

Override connect() in a PHP script running on Apache with mod_php

How to override connect() system call called from within PHP script, in an Apache request, when PHP is enabled via mod_php? I have my custom connect() version defined in custom-connect.c: #define _GNU_SOURCE 1 #include #include…
Luke 10X
  • 1,071
  • 2
  • 14
  • 30
3
votes
2 answers

Web programming: Apache modules: mod_python vs mod_php

I've been using for more than 12 years PHP with Apache (a.k.a mod_php) for my web development work. I've recenlty discovered python and its real power (I still don't understand why this is not always the best product that becomes the most…
Olivier Pons
  • 15,363
  • 26
  • 117
  • 213
3
votes
1 answer

Including several PHP versions in Apache, switchable via AddHandler directive

A shared web host I'm using is offering several versions of PHP on the same server: 5.2, 5.3 and 5.4. They make it possible to switch between these versions by naming the file extensions .php54 and .php53 respectively, or via an .htaccess…
deceze
  • 510,633
  • 85
  • 743
  • 889
3
votes
1 answer

Can Nodejs run behind Apache and is it supported?

Apache creates a new Thread for each request or more accurately, it re-uses a Thread from a pool of Threads but Node.js is essentially a single Thread. Would there be any complication in running a Node.js web app behind an Apache webserver? For…
RHT
  • 4,974
  • 3
  • 26
  • 32
3
votes
1 answer

Run background process from PHP on FastCGI

I know it is possible to create a background PHP process which can be started on demand from another PHP file: $command = "/usr/bin/php5 -f script.php"; exec( "$command > /dev/null 2>&1 &", $arrOutput); However this solution works only when PHP is…
mgo
  • 174
  • 6
2
votes
0 answers

Configure/compile mod_php (PHP 5.2.17 for Apache 2.2.17) with "Thread Safety" disabled

My Linux distribution is RedHat / CentOS 5.x i386/x86_64. I'm using custom compiled Apache version 2.2.17 (both worker and prefork) modes with mod_php (PHP 5.2.17) custom compiled too. phpinfo() page shows "Thread Safety" is 'enabled'. My problem is…
yuravk
  • 21
  • 3
2
votes
1 answer

Installing libapache2-mod-php7.1

I installed Apache 2.4.27 and PHP 7.1.7 from source, but I don't find a tip about how to install libapache2-mod-php7.1 or the required module. How can I install libapache2-mod-php7.1 (or similar) to Apache 2 located under /user/local/apache2? I have…
Jordy Deweer
  • 311
  • 1
  • 4
  • 13
2
votes
1 answer

No mod_php? 14.04 / ondrej php5.6 + ondrej apache2

Trying to get a 14.04 box running PHP 5.6, but having issues getting PHP enabled in apache. Specifically, it doesn't seem mod_php is being installed anymore? apt-get update apt-get install -y python-software-properties add-apt-repository -y…
Brian Brownton
  • 1,313
  • 14
  • 31
2
votes
1 answer

Non persistent pg connections

I've changed pgsql.allow_persistent to Off in /etc/php.ini, and restarted apache. Now I'm getting identical pg handles for two consecutive pg_connect. Array ( [0] => Resource id #14 [1] => Resource id #14 ) My question is, is php still using…
mpapec
  • 50,217
  • 8
  • 67
  • 127
1
vote
0 answers

How to run mod_php and fastcgi side-by-side?

Is it possible to run certain PHP scripts through mod_php when your apache server is configured to run as FastCGI? (FPM/FastCGI). This could be configured at the directory level, but I'm not sure what syntax to use in the apache…
Highway of Life
  • 22,803
  • 16
  • 52
  • 80
1
vote
2 answers

How do mod_php, mod_python, mod_Language work

Some of the Apache modules are related to programming languages, like mod_php and mod_python. The description is basically "enables usage of php within apache" or "enables usage of python within apache". I'm trying to understand an overview of how…
sameold
  • 18,400
  • 21
  • 63
  • 87
1
vote
1 answer

How to prevent Apache / mod_rewrite from treating path as file with same name

I'm using WAMP Server, mostly configured as-is out of the box. I'm having trouble getting mod_rewrite to behave as expected locally (everything works fine on a production server). I have a PHP file located at: /ajax/graphs/get-graph.php The way…
Casey Kinsey
  • 1,451
  • 9
  • 16
1
2
3 4 5