The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPPHP security

Discussion in 'cPanel Developers' started by djbob2, Oct 7, 2009.

  1. djbob2

    djbob2 Well-Known Member

    Joined:
    May 14, 2005
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    It looks like CPPHP is running under suPHP, phpSuexec, or a similar module. This causes each CPPHP page to run under the user accessing cPanel. This requires all PHP files run in cPanel to have high permission levels for all users, enabling those files to be read by any users. Is there any way to securely log in to a database from CPPHP without allowing users to see the database password simply by accessing the file?

    Thanks,
    djbob
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    All requests in cPanel that do not go through our AdminBin system are executed as the logged in user. There is no way to change this.

    There is no way to make PHP files executed by cPanel to run as other than the logged in user.

    At this time there is no consideration for changing the security model.
     
  3. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You can setup a setuid binary to handle escalated requests. However, this must use very strong validation and restrict appropriately.
     
Loading...

Share This Page