PHP dso + suEXEC still runs as Nobody

[hn1717]

Hi Everyone.

I've been extensively researching this issue. I have several dedicated servers running cpanel, so I can compare the configuration, but somehow I can't figure this out, so if somebody can help I'd appreciate.

Issue: On my newest server, running RedHat, lastest cpanel, I noticed that php is running as nobody. I've compiled a few times, to get GD and all other things I need on.

I've read in many places, that I need to have Mod SuPHP so it runs as the account user name, and that's more secure, that's all fine.

My questions is though: I have at least 2 other servers, that I'm looking at the configuration here, and they're both not running suPHP, not running CGI, they're both running DSO and suEXEC is on, and they run as each account's username, instead of nobody. Why can't I get the same thing on this new server?

Is it a new easyApache or something and now, the only way to avoid running as nobody is to add this suPHP?

Does someone knows why it was possible before?

What am I missing here?

I'd appreciate anyone that could help me. Thank you!

[cPanelDon]

Hi Everyone.

I've been extensively researching this issue. I have several dedicated servers running cpanel, so I can compare the configuration, but somehow I can't figure this out, so if somebody can help I'd appreciate.

Issue: On my newest server, running RedHat, lastest cpanel, I noticed that php is running as nobody. I've compiled a few times, to get GD and all other things I need on.

I've read in many places, that I need to have Mod SuPHP so it runs as the account user name, and that's more secure, that's all fine.

My questions is though: I have at least 2 other servers, that I'm looking at the configuration here, and they're both not running suPHP, not running CGI, they're both running DSO and suEXEC is on, and they run as each account's username, instead of nobody. Why can't I get the same thing on this new server?

Is it a new easyApache or something and now, the only way to avoid running as nobody is to add this suPHP?

Does someone knows why it was possible before?

What am I missing here?

I'd appreciate anyone that could help me. Thank you!

I recommend using the following command to verify if the PHP handler is actually configured as SuPHP and to verify if SuExec is also enabled:

Code:

# /usr/local/cpanel/bin/rebuild_phpconf --current

Without direct access to the other systems it is impossible to know exactly what is taking place to trigger the behavior described using DSO.

What exact method is being used to determine that things run as the applicable user accounts instead of as a shared system user ("nobody")?

What are the exact processes being seen that are running as the individual user accounts?

[Spiral]

My questions is though: I have at least 2 other servers, that I'm looking at the configuration here, and they're both not running suPHP, not running CGI, they're both running DSO and suEXEC is on, and they run as each account's username, instead of nobody. Why can't I get the same thing on this new server?

What you describe is not possible unless you are running multiple instances of Apache each configured to chroot to the respective account logins which would use an enormous amount of resources and being impractical on anything other than a basic single site LAMP server.

Outside of that, sounds like you might be misunderstanding your configuration and thinking that it is something which it is not ....

phpSuExec (cgi) and SuPHP are both means to execute PHP scripts under the effective ID of the owner of the script being executed.

DSO based PHP does not change user ID so you would be running all PHP scripts as the user your Apache web server is running as which is almost always "nobody" and sometimes more rarely "apache".

Now one place to easily get confused is "SuExec" (not to be confused with phpSuExec) which is what allows standard CGI scripts (usually Perl based) to be executed as the effective ID of the owner of the script so it does for Perl what phpSuExec or SuPHP each do for PHP scripts.

Hope that clears things up a bit ....

Back to your underlying questions though, SuPHP would be the most ideal choice in terms of security and allowing scripts to run as the user owning the script instead of the Apache web server account user.