WARNING TECHNICAL POST! ENTER AT YOUR OWN RISK!

Yes, this is covering technical (geeky) aspects but I am trying to put in layman’s terms.

I wrote a post talking about having suPHP on the server was actually a benefit for people using WordPress 2.7. In response to that post I was asked, “What is suPHP?” I will attempt to answer that here but I will have to put out some background first.

suPHP is a program that controls who can access certain files. The earlier version was PHPsuExec but that is quickly being replaced by suPHP and the two do basically the same thing.

Now to explain about permissions I am going to have to start at the very beginning.

It starts with scripts, scripts are programs that run on your server that give your website or blog the ability to process information that can be stored or displayed when requested. WordPress blogging software is a script.

All script files need to be authorized to run on the server and this is done by setting permissions (CHMOD). There are three categories that permissions can be set for and three types of permissions.

The categories are:

User – this is the site or file owner.

Group – this is for select members that have access to certain areas of your server or script.

Other – covers anyone that isn’t the user or the group.

Permissions

Read - allows the file to be read

Write – allow the file to be modified

Execute - allows the file to be run on the server.

The permission are usually described with either letters or numeric values

1 or x = execute
2 or w = write
4 or r = read

Most commonly you will see instructions telling you to set the permissions (CHMOD) to a file to a number like 755. The numbers come from a sum of the permissions granted. In this case it would be:

User = 7 – this is 1 for execute, 2 for write and 4 = 7
Group = 5 – this is 1 for execute, 4 for read = 5
Other = 5 – this is 1 for execute, 4 for read = 5

This permission would let anyone that comes to your site read the file and execute it but they couldn’t change it only you (the server) can change the file.
PHP scripts usually run with the user as “Nobody”. This means that the control of the file or directory is directly related to the permissions set for the file.

Since “Nobody” is not the User or a Group member that means it is Other and for the script to run properly you might have to set the permissions to a file or a directory to allow all these categories to use the file. This would be a read, write and execute for all categories (777)

The problem with this is that you are letting people from off your server execute files. This opens up the possibility of adding code to a URL and giving them access to your entire site depending on the file they can get into and how it is coded.

This is a big, make that BIG, security risk and should be avoided.

Now enter suPHP or PHPsuExec, both of these will stop PHP from running as “Nobody” and make it so the files can only be written by the User.

This is one layer in defense against hackers but it does affect the way that you have to set your permissions on your site.

If your server is running suPHP or PHPsuExec and you are told to give a folder or directory the permission of 777 and you do so, when you try to run the program you will probably get an error, usually a 500 Internal Server error.

How do you know if your server is running suPHP or PHPsuExec?

Basically, if you set your permissions on a folder to 777 and you get the 500 Internal Sever error your server might be running suPHP or PHPsuExec, but it could be another error with the script. Your best bet is to ask your hosting service if you are. I know HostGator and Niche Simple (two of the hosting companies I use for blogs) use it and more and more hosting services are starting to use it.

The key thing to remember is that if you are installing a script and you have suPHP or PHPsuExec running on the server and you are told to set permissions (CHMOD) to certain files and folders and you do this and the script doesn’t work, change all your folder/directory permissions to 755 and all your file permissions to 644 and try again this usually fixes the problem.