What is phpsuexec?

Phpsuexec is a deprecated feature in cPanel where php is setup as cgi instead of apache module. All shared hosting servers for HostingWebsitez have been updated from phpsuexec to suPHP. This KB applies to such clients that are still using phpsuexec on their VPSs/Dedicated servers. Phpsuexec brings a new level of security to the way php is used.

1) php scripts execute using the permissions of userid of the account holder instead of user “nobody”

2) world writable folders (chmod 777) is not required for file uploads through php

3) The php file need to have ownership of the user to execute in the user account (by default it is).

4) php file (script) does not need 755 permissions. 644 is fine. In fact 400 or 600 is ok too (especially good for sensitive information).

5) php_flag or php_value can NOT be used in .htaccess files (It will result in Internal Server Error).

6) The php flags that do not work in .htaccess can be moved to php.ini file in the same folder where php script exists. However, the php flag/value will be in the format of php.ini and not that of .htaccess. For example this from .htaccess

php_flag register_globals off

will go into php.ini as:

register_globals off

If php.ini exists in the folder where the php scripts exists, it will take all values from it (and nothing will be taken from main php.ini.

7) If the folder that contains a php file/script is world writable (chmod 777), it will result in Internal Server Error. This is similar to cgi/perl scripts under suexec that do not like such permissions for security reason. The normal folder permissions should be 755.

8) Apache specific php functions do not work:


9) If your .htaccess file contains “Options” directive, it should have + or – with the directive to keep the ExecCGI active.

10) Symbolic links do not work for php scripts for security reasons.

11) Some web applications (OS commerce, ZenCart etc.) check if its configure.php file is writable (since php is being executed with userid it should be), so it will complain that its writable. Please change the permissions to 444 via ssh. (chmod 444 /path/to/configure.php)

12) HTTP authentication via php code does not work. However you can continue to use it via .htaccess or password protected folder feature of the control panel.

13) If you use “AddType application/x-httpd-php” in .htaccess, it should be set to “AddHandler application/x-httpd-php”

Similarly if you are using ForceType in .htaccess to force a file to be treated as php, you will need to change it to SetHandler.