LSWS CGI/FastCGI/LSAPI/PHP SuEXEC
What is SuEXEC?
SuEXEC is a feature that allow LiteSpeed Web Server run CGI/FastCGI/LSAPI/PHP/Ruby or any external web applications under a UID (user id) other then the UID of the web server process.
Why SuEXEC CGI/FastCGI/LSAPI/PHP?
SuExec usage reduces the risk of exploited Cross-site scripting (XSS) vulnerabilities when permissions are set correctly. It also prevents one user from accessing another user's files in a shared hosting environment.
How to use SuEXEC
Enable SuEXEC within LiteSpeed server is very easy and applicable to most applications including CGI, FastCGI, LSAPI, PHP, Python, RubyOnRails and any other web application started by LiteSpeed server. Just follow these steps below to enable SuEXEC.
- Create a virtual host.
- Set “CGI Set UID Mode” to “Docroot UID”
- Add your web application under “External Apps” tab.
- Set “Script Handler” if the application is to handle scripts with specific suffix like “.php”
- Add a “Context” if the application is to handle a specific request URI.
- Make sure the ownership of document root of the virtual host has been set properly. Privileged user with user ID below “Minimum UID” is not allowed.
- Restart LiteSpeed server.
Example: PHP SuEXEC
To run PHP in SuEXEC mode, first, you need to define a virtual host level lsphp application similar to the pre-configured global lsphp application. Make sure to use a different “name” and “Address”, such as using $VH_NAME as prefix. After that, you need to override the global PHP script handler by adding a virtual host level one. “Script Handler” configuration is under the “General” tab of that virtual host configuration.