EasyApache 4 secure solution

[epaslv]

I am struggling to find a solution to a problem.

Using PHP I have written a script to check some security settings. The PHP file list all the accounts in the /home directory then scans through public_html folders, opens up config files and gets the username and password to the MySQL databases for other users, connect to MySQL etc. I guess you can then read all mail from other peoples accounts too.

I am trying to prevent any read access through PHP outside the accounts home.

However I have tried to provision all profiles as supplied by EasyApache but can stop the script from doing above?

I must be missing something big here? Any comments would help

 

[vacancy]

dso-suphp handler you using?

 

[ThinIce]

I do feel this could be better documented. By default (i.e without a jail) as you have seen, the basic operating system file permissions are king. I've not played with it for a while (so may be talking out of my arse) but If you are jailing each user with cPanel jailshell and virtualhosts with apache mod_ruid2, you would then want to run php as dso per the below documents

Tweak Settings - Security - Documentation - cPanel Documentation.

Apache Module: ModRuid2 - EasyApache - cPanel Documentation

Vanessa may or may not be along soon to point out that some jails are superior to others and cloudlinux cagefs might be a thing you want to look at...

 

[cPanelMichael]

Hello,

The previous post offers some helpful information on this topic. Feel free to let us know the current PHP handler you are using if you would like additional advice:

/usr/local/cpanel/bin/rebuild_phpconf --current

Also, you may find this document helpful:

Symlink Race Condition Protection - EasyApache - cPanel Documentation

Thank you.