Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Do I need suEXEC?

Discussion in 'Security' started by GoWilkes, May 21, 2014.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    400
    Likes Received:
    5
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    This is probably a tricky one to answer, but I can't find any real info on Google.

    I've run in to a minor limitation caused by suEXEC, in that it doesn't allow me to change the permission of my CGI-BIN to 775 or 777. This isn't critical to my project, but would definitely help simplify things; with suEXEC, I'll have copies of the same script in multiple accounts, and if I make a change then I have to go change each copy manually.

    So, the questions are:

    1. Do I even need suEXEC? Every account on the server belongs to me, so security isn't a big issue; if they're logged in as me, they have root access, anyway.

    2. If it's really important, is there a way to get around suEXEC's requirement that the CGI-BIN not be writable by others?
     
    #1 GoWilkes, May 21, 2014
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,704
    Likes Received:
    1,883
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    I have moved this thread into the "Security" forum so you may receive more user-feedback. The following document provides some general information on suEXEC:

    Enable or Disable Apache suEXEC

    You mentioned that security is not a big issue because you operate every account, but one possibility to consider is that one account gets hacked at some point. Thus, it could lead to the other accounts getting hacked.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, May 22, 2014
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Most people don't have to worry about suexec too much, but in general I do use it for both ease of use and security.

    Most permissions issues regarding world write etc are caused by SuPHP not SuExec. I'm not aware of any permissions restrictions with suexec.

    If you're using SuPHP, you can edit the conf to allow 775 or 777 but it's really rare to need that. If you run SuPHP and SuExec you can usually leave everything 755 (dir) and 644 (file) owned by the proper cPanel account.

    Options are in /opt/suphp/etc/suphp.conf

    Code:
    ; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
    If you really needed to allow a directory to operate as 775 or 777 you could set allow_directory_group_writeable and possibly allow_directory_others_writeable to true. Not recommended but it is possible.
     
    #3 quizknows, May 22, 2014
    Last edited: May 22, 2014
  4. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    400
    Likes Received:
    5
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    This is my first time really dealing with suEXEC or suPHP, but I read it here:

    14. Is the directory NOT writable by anyone else?
    We don't want to open up the directory to others; only the owner user may be able to alter this directories contents.

    suEXEC Support - Apache HTTP Server Version 2.2

    I'm specifically dealing with the CGI-BIN. If I change the permission to anything other than 755, the CGI scripts break, and an error shows up in suexec_log that says:

    Code:
    [2014-05-21 05:03:56]: file is writable by others: (/home/example/public_html/cgi-bin/whatever.cgi)
    With this being the CGI-BIN instead of PHP files, would editing suPHP still be relevant?


    I only allow SSH access via root, and limit both SSH and FTP access to my IP range /16 (123.45.67.x). Am I correct in assuming that, for the most part, this eliminates the majority of that concern?
     
    #4 GoWilkes, May 22, 2014
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Interesting, I don't work with CGI stuff too much so you might need help elsewhere on that (or consult docs). Still, 755 should work just fine since if it's executed as the user ID there's no reason other IDs should need write access in normal usage cases. Allowing accounts to write to each other is obviously ill advised.

    Regarding security, while what you're doing are excellent precautions, none of it is really relevant from a webapp perspective; it only takes one out-dated CMS or component for someone to get access to an account. Depending on the rest of the security settings on the server, they may be able to access other accounts too.
     
    #5 quizknows, May 23, 2014
    Last edited: May 23, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - need suEXEC
  1. Lokesvararaja

    Need Help To Setup Tomcat With Easy Apache 4 Experimental

    Lokesvararaja, Sep 6, 2018, in forum: EasyApache
    Replies:
    2
    Views:
    85
    Lokesvararaja
    Sep 6, 2018
  2. kevin casanova

    Need autoresponder

    kevin casanova, Aug 24, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    52
    cPanelMichael
    Aug 27, 2018
  3. MediaServe

    Internal forwarding only option needed

    MediaServe, Aug 22, 2018, in forum: E-mail Discussion
    Replies:
    8
    Views:
    128
    sparek-3
    Aug 23, 2018
  4. Edwin Huijsing

    information needed for .cpanel.yml

    Edwin Huijsing, Aug 20, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    168
    Edwin Huijsing
    Aug 22, 2018
  5. DesFire

    Quota issue: does it need to be enabled in all partitions?

    DesFire, Aug 13, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    83
    cPanelLauren
    Aug 14, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice