# suPvp vs Fpm security issues



## Fleshdoom (Jun 3, 2013)

Hi, a serious doubt has come into my mind. One of suphp security issues is that, Apache in order to use PHP under certain privileges launches a wrapper as root and then this wrapper changed its UID into the interested one. So an attacker that takes control of the wrapper before it changes its UID, may deal serious damage to the system. 

So...

How does PHP-FPM generate per-pool processes? By a brief look to the source, especially fpm_worker_pool.h and fpm_unix.c seems like that FPM master process does a similar thing: FPM master process as root forks itself and then calls setuid with the given UID at the configuration file. Many sites say that FPM is more secure than suphp, but at this time seems they share a similar structural problem.  If I understood this correctly, does FPM have the same security issues as suphp, or there is something that I am missing?

Regards


----------



## chatwizrd (Jun 3, 2013)

suphp isn*'*t even being supported anymore, so you might as well switch to something else.


----------

