PHP suEXEC Support

[asmithjr]

ok I admit, I have a server that is not using PHP suEXEC Support


I want to enable it but am concerned because I have over 100 sites on the server functioning ok. WOW but a lot of directories and files with 777 permissions.

find /home -perm 777 -type d
find /home -perm 777 -type f

Should I enable PHP suEXEC Support then

find . -perm 777 -exec chmod 755 {} \;

Is this wise or is it better to leave well enough alone?

[brianoz]

I'd email your users first, but there's nothing wrong with that as an idea.

You may also want to ensure the directory is owned by the correct user, as if they created the directory from a script it'll be owned by nobody and they'll end up with no access to it at all.

[chirpy]

Perhaps a safer way WRT ownerships and some of the permissions is to run:

/scripts/chownpublichtmls

[brianoz]

/scripts/chownpublichtmls effectively chowns the public_html directories to the user's userid and group. However, the group on these directories is normally nobody with read permission only to group, viz:

drwxr-x--- 5 winegl nobody 4096 Oct 5 11:35 winegl/public_html/
drwxr-x--- 5 wisemon nobody 4096 Dec 8 13:48 wisemon/public_html/

Apache runs as nobody, so wouldn't the ownership changes by that script totally prevent it accessing these directories? and thus prevent access to all user webpages? Or am I missing something?

[Izzee]

The exception is /home/user/public_html which remains user:nobody with 0701 permissions.
The script changes the remaing files and directories to user:user if they had nobody anywhere in the permissions and changes any 0777 permissions to 0755.

Here is an idea of what happens when running the script:

# /scripts/chownpublichtmls
Chowning user....Done
Chowning user....Done
(repeats the above response for every user in /home/user/
Setting /home permissions to 0711......Done
Setting permissions for.....user...user...(continues for every user).....Done
#

Thats it.

[brianoz]

D'Oh ... sorry, for some reason I failed to see the last line of the script, which puts back the correct group on the public_html directories ... so no problem with using the script. Apologies for the aspersions Chirpy!

[asmithjr]

Thanks for the posts.

Now to get up the nerv to "Hit the Return Key".

Last thing we need is a lot of issues.

Anyone have an idea of how to backout if there are really bad issues? Or is the feeling that this is not going to cause that much trouble if I use the # /scripts/chownpublichtmls

[jackie46]

Anyone have an idea of how to backout if there are really bad issues? Or is the feeling that this is not going to cause that much trouble if I use the # /scripts/chownpublichtmls

It doesnt matter if you back out. All files should be owned by user.user anyway so if you remove phpsuexec those perms should work properly.

[brianoz]

It's safe, it's an official cpanel script AND it's recommended by the Chirpy - can't get better than that!

[PDM]

Will enabling suexec break scripts sending mail using this php code format?

PHP Code:

/* To send HTML mail, you can set the Content-type header. */
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "X-Priority: 1\n";
$headers .= "X-MSMail-Priority: High\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: \"".$senderfirstname."\" \"".$senderlastname."\" <".$senderemail.">\n";

if ($toemail != "") 
mail($toemail, $subject, $message, $headers); 


[te2586]

I've also seen it mentioned and in error logs, that switching a server over to phpsuexec breaks scripts that set php values in their .htaccess files. Does anyone know if there's an easy way around that or will I have to search out the htaccess files that make use of the php variable reassignments?

[myusername]

You can search for them, or maybe better yet wait for your user to submit a ticket on it and explain to them how to fix it. Eventually they are going to ask anyways...it is likely that a lot of the php values and flags you find are not being used anyway. Probably not worth doing it by hand unless you can come up with a one-liner for it.

[PDM]

If I enable php suexec and recompile Apache with it how would I back out.

Restore httpd.conf and restart apache?

[myusername]

Yes, or just use /scripts/easyapache or whm and uncheck the php suexec option.

[Izzee]

I just need to correct some possible errors.

1.
@Albert

find /home -perm 777 -type d
find /home -perm 777 -type f

Should I enable PHP suEXEC Support then

find . -perm 777 -exec chmod 755 {} \;

find . -perm 777 -exec chmod 755 {} \;

Should this not be?:

find /home -perm 777 -exec chmod 755 {} \;

as find . is looking for directories with a .name extension, it seems.

Example after running (but stopping quickly) the original command:
chmod: failed to get attributes of `./etc/rc.d/rc0.d/K25sshd-keygen': No such file or directory
chmod: failed to get attributes of `./etc/rc.d/rc0.d/K85courier-authlib': No such file or directory
chmod: failed to get attributes of `./etc/rc.d/rc0.d/K30courier-imap': No such file or directory
ETC. ETC.

2.

The script changes the remaining files and directories to user:user if they had nobody anywhere in the permissions and changes any 0777 permissions to 0755.

I checked several of my clients with known php scripts running and found many directories with 0777 permissions and a couple of files. This was after running:
/scripts/chownpublichtmls

So my conclusion is that the above script does not chmod 0777 to 0755 as I stated in my previous post above.

I used Albert's find /home to see which files and directories were wrong and then issued:
find /home -perm 777 -exec chmod 755 {} \;

Then I checked again with the find /home command and all seemed to be have been changed as expected.