PHP as mod less secure than as CGI.??

marius_13

The company we use to host our site is running PHP as a CGI. I requested that it be ran as a MOD. They informed me that because of security reasons, they wouldn't. I asked for a detailed reason, since I had heard that Mod is more secure. Here is what I got for a response... Is this correct or are they just uninformed on the setup?

<Reply from provider>
Hi,

This is the answer I got from my administrators.

It is a security concern. We use suexec to increase security; a module executing scripts would run the script in the httpd context, with the same privileges as httpd. I hope this helps.

[deleted]

How secure something is depends on the environment in which it runs.

They probably have a multi-user environment with one webserver running several domains.
That means that if PHP runs as a module, every script by every user would have the same rights, so they could theoretically read eachothers files and shared-memory data.

Running through suexec probably prevents that in their setup.

Simple setting up several copies of the webserver, running under different user ID's solves this.