phpsuexec and permissions

[web12]

Ok,

I am getting tired of these un-routable mails coming back to me all the time now, so i think I am going to have to bite the bullet and install phpsuexec. I did it on a test server and quickly realised that permissions on php files need to be 755 and that file ownership should also be correct a la username.

So, just wanted to confirm before I do this on a live server... should I just issue the command chmod -R 755 /home/*.php to take care of the file permission, and then if anyone comes back to me with errors after that, go through and chown the files in their domains with chown -R username:username /home/username ?

Just really want to check before i do this.

thanks

[mpierre]

Be careful, a few programs needs some config files to be 777, but use the php extension anyway...

[web12]

Do you reckon the above would work then?

I just want to be 100% sure before i do the deed.

thanks

[dariofg2]

You should try:

Code:

find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v 755

-Dario

[web12]

Hi Dario.
Thanks for the reply. Could you explain the difference with doing it that way would make?

thanks.

[dariofg2]

chmod -R 755 /home/*.php

won't have the desired effect. Before running chmod, the shell will replace /home/*.php with files or directories that end in *.php directly inside /home, not below any subdirectories.

The command I described also searches for other PHP file extensions, like .php3, .php4 and .phtml. xargs is used to speed things up.

-Dario

[mpierre]

Wouldn't you be better with :

find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v a+x



???

a+x will set the exectute flag, but unlike 755, it won't remove the write flag when needed...

[cpanelnick]

run

/scripts/postsuexecinstall
it will correct all suexec permission errors for 24 hours after its run right after they happen.

[mpierre]

Originally posted by bdraco
run

/scripts/postsuexecinstall
it will correct all suexec permission errors for 24 hours after its run right after they happen.

No, it won't really fix the problem :

here is an extract of the script :

if($uid > 99 && $gid > 99) {
print "Fixing permissions on $cgi....";
chmod(0755,$cgi);
print "Done\n";


As you can see, it simply changes the permission to 0755, which doesn't fix the problem of scripts needing 777.

Or 733 in some cases.

[mpierre]

Thought I must admit that it only changes scripts that have problems, since it reads from the suexec log scripts which causes an error.

But it still causes 24 hours of nightmare !

User tickets, etc...

[dariofg2]

I agree. You will get 24 hours of support tickets!

As for setting 755 instead of a+x, universal write permissions on scripts make suexec error out.

There is the problem of scripts running from directories with universal write permissions set. You would need a more complicated shell script to fix those, or rely on /scripts/postsuexecinstall...

-Dario

[cpanelnick]

Originally posted by mpierre
No, it won't really fix the problem :

here is an extract of the script :

if($uid > 99 && $gid > 99) {
print "Fixing permissions on $cgi....";
chmod(0755,$cgi);
print "Done\n";


As you can see, it simply changes the permission to 0755, which doesn't fix the problem of scripts needing 777.

Or 733 in some cases.

suexec isn't going to run a script with 777. You shouldn't need 777 if you are running suexec.

[mpierre]

You are right, I don't need 777.

90% of the php will be 755
10% will be 733.

however, those who will be 777, will be used for reading and writing, not for executing.

As such, setting the exec flag will do no harm, right ?

[cpanelnick]

Originally posted by mpierre
You are right, I don't need 777.

90% of the php will be 755
10% will be 733.

however, those who will be 777, will be used for reading and writing, not for executing.

As such, setting the exec flag will do no harm, right ?

You shouldn't need 733 (rwx,wx,wx) either. You should never have the write bit in the world field. If you are using suexec things run with the user's uid so they can read/write to files that are 755/700 etc

[mpierre]

Oops...

I didn't mean X+W

I meant W+R !!!

Sorry for the confusion...

But indeed. if the file is 755, it should be read but only after the change for Suexec...