WordPress.org

Ready to get started?Download WordPress

Forums

multi-user shared environment: suexec or suPHP? (5 posts)

  1. Robert.Vidrine
    Member
    Posted 2 years ago #

    I hope that this has not already been covered elsewhere in the forum. (I did several searches, I swear!)

    I am trying to design a configuration for the WP server for my College, where several people will share the same server, but should be limited to their own installation of WP. This is largely for security reasons (so that a rogue plugin or sloppy coding on one site can't affect every other WP install on the same server).

    I've found (slightly contrary to the codex I think-I intend to see about editing that: separate subject) that the user which runs PHP (Apache usually as 'nobody' or similar) has to OWN the files/directories, not just be allowed to write there. This leads me to suexec or suPHP. I found in another thread that suexec and suPHP are definitely different. The still lingering question is whether I should be using suPHP (last updated in 2009!) or whether suexec will get the job done.

    I want:
    PHP in wp1/ will run with person X's owner's permissions, allowing automatic updates, plugins which create/change files, etc.

    PHP in wp2/ will run with person Y's owner's permissions, allowing all functionality, but keeping them out of wp1/ (and vice versa).

    (I intend for wp1/ and wp2/ to be multisite networks BTW. Not a dealbreaker if this won't work, but it would be nice.)

    After struggling (and failing) to get Apache configured and running properly with suPHP, I'm wondering if I'm chasing the wrong target and I should just be using suexec somehow?

  2. CoderJosh
    Member
    Posted 2 years ago #

    First of all, this doesn't seem to be related to WordPress Network or WordPress Multisite, because you want your users to maintain their individual WordPress installations.

    For security reasons, on a shared server it's indeed a good idea to execute PHP programs with the permissions of the user owning that particular site, to isolate the various sites running on the server from each other.

    There's different ways to accomplish that. You've mentioned suexec and suPHP, the former being used for executing CGI scripts in general and the latter exclusively for PHP. Between these two, suPHP would be better suited for WordPress.

    If performance is an issue and if you don't have too many accounts on your server, you could also look into FCGI.

  3. moved since it's not multisite.

  4. Robert.Vidrine
    Member
    Posted 2 years ago #

    Thank you very much CoderJosh!
    I am a little worried that suPHP hasn't been updated for 2 years, but it seems like it's still being heavily used for this.
    I actually would like for each installation to be a network, but for each network installation to be completely separate from the other installs. This will allow each installation to have very deep permissions to their own site (even the ability to quickly and easily create new sites within the network), but could not affect other installs.

    The main concern is how to setup the server itself. It sounds like suPHP is the way to go. Thank you very much for the prompt reply! I will be glad to post my results once I test out putting each WP network in its own locked down, single owner install folder. (My biggest concern is that Apache will get confused with all the redirection, but hopefully I can avoid collisions.)

  5. CoderJosh
    Member
    Posted 2 years ago #

    Note that suPHP is just used to call the PHP interpreter, so the module doesn't need to be updated whenever PHP is updated. So the fact that it hasn't been updated since two years doesn't necessarily mean it's insecure.

    Depending on the Linux distribution your server uses, you might be able to find a package supported for your distribution. For example, there's an EPEL package for RHEL/CentOS servers.

    I don't see any problem with the setup you have in mind, i.e. multiple WordPress Network installations on one server. Each site will have its own Apache vhost, and if these are set up properly, there won't be any collisions.

Topic Closed

This topic has been closed to new replies.

About this Topic