1. Forums
  2. General
  3. General Discussion
  1. andy
  2. Sunday, 04 August 2019
  3.  Subscribe via email
The above question is simplified. The real questions below at the end are much more complex. Note I don't have a linux server handy so I am relying on documentation and hence these questions.

Background

On other servers (and maybe cloudlinux) apache runs as the user apache (or nobody).

If using mod_php (or one of the other php handlers without suexec or equivalent) all php files are executed as the user apache and this has security ramifications as in a non-caged system the user is able to read other users files etc. However the user's own files cannot be overwritten or deleted or a file added if the permissions don't allow it. This has saved me on occasion when a hacker has managed to exploit a bug and tried to modify one of my websites files or add a file to a protected directory.

The use of other php handlers with suexec or equivalent means the apache process effectively runs as the user and hence can't read other users file etc if their permissions don't allow it. However any hacker that succeeds in exploiting a bug can modify the user's own files.

For cloudlinux use of the cagefs system prevents users from seeing other users files. Thus simplistically it seems that if your running cagefs there is no need for apache to run as the user. And by running apache as the user apache you gain an extra layer of protection if your file and directory permissions are set appropriately.

Modifications needed to run apache as apache

The following is based on using the mod_lsapi php handler.

1) According to documentation for mod_lsapi (https://docs.cloudlinux.com/apache_mod_lsapi) this can be achieved for php files by modifying the default lsapi.conf as follows (note this hasn't been tested and may be incorrect):

lsapi_use_suexec off

#the following may be necessary for this to work
lsapi_check_document_root off


2) For cgi files (which I don't use) switch suexec off as follows:

a) For cpanel https://help.myhosting.com/hc/en-us/articles/360002392424--cPanel-Enable-or-Disable-Apache-suEXEC-and-suPHP.

b) Otherwise modify the virtual host configurations in vhost.conf or equivalent by disabling the SuexecUserGroup directive.

<VirtualHost *:80>
DocumentRoot "/home/example/public_html"
ServerName example.com
ServerAlias http://www.example.com
#SuexecUserGroup example example
...
</VirtualHost>


3) Finally change the ownership and permissions of the files and directories that need to be read (or written) so that apache can read (or write to) them and in the case of cgi files execute them. You can do this by adding the needed permissions for the apache group and changing the group of the file to the apache group. The apache group may be "apache" or "nobody" depending on the server

For example for the user "owner" and the group "apache" set the file permissions as follows.

NB I realise that most of the people reading this forum are experts but this is for the odd novice.

a) For files that need the read permission such as exampleFile.php

exampleFile.php owner apache rw-r-----

b) For cgi files that need the execute permission such as exampleFile.cgi

exampleFile.cgi owner apache rwxr-x---

c) For directories that need the read permission such as exampleDirectory

exampleDirectory owner apache rwxr-x---

d) For directories that need the write permission such as the following example uploadImageDirectory

uploadImageDirectory owner apache rwxrwx---

e) For files in the uploadImageDirectory that need the write permission such as uploadedImage.jpg

uploadedImage.jpg owner apache rw-rw----

Questions

1) Do the above changes work or are other changes necessary to make them work as intended?

With the above changes (and anything extra to make them work as intended):

2) Does cagefs still work for PHP scripts (Documentation https://docs.cloudlinux.com/cagefs unclear)?
3) Does cagefs still work for CGI scripts?
4) Does LVE still work for PHP scripts (Documentation https://docs.cloudlinux.com/limits/#compatibility-matrix unclear) ?
5) Does LVE still work for CGI scripts (This could be connected https://www.cloudlinux.com/forum/forum18/lsapi-cagefs-no-suexec#reply-8443)?

Thanks for your consideration of these questions.

Cheers
Andy
Rate this post:
  1. 05.08.2019 15:08:23
  2. # 1
Sergey Khristich Accepted Answer
Posts: 88
Joined: 20.05.2019
0
Votes
Undo
Hello Andy! We are working on this issue.
Get back to you later with a response.
Thanks!
  1. 05.08.2019 19:08:42
  2. # 2
Kate Grechishkina Accepted Answer
Posts: 20
Joined: 13.04.2019
0
Votes
Undo
Hello,
When you set up PHP to run as Apache user, CageFS will not work for these PHP users. The same is true for CGI scripts.
LVE will have limited support, for example, Memory limits will not work, but other limits can be set up to work with mod_hostinglimits:
The following mod_hosting directives will be required to setup:
LVEId
LVEUser
--
https://docs.cloudlinux.com/limits/#directives
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.