The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP dso + suEXEC still runs as Nobody

Discussion in 'Security' started by hn1717, Dec 30, 2009.

  1. hn1717

    hn1717 Registered

    Joined:
    Apr 24, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi Everyone.

    I've been extensively researching this issue. I have several dedicated servers running cpanel, so I can compare the configuration, but somehow I can't figure this out, so if somebody can help I'd appreciate.

    Issue: On my newest server, running RedHat, lastest cpanel, I noticed that php is running as nobody. I've compiled a few times, to get GD and all other things I need on.

    I've read in many places, that I need to have Mod SuPHP so it runs as the account user name, and that's more secure, that's all fine.

    My questions is though: I have at least 2 other servers, that I'm looking at the configuration here, and they're both not running suPHP, not running CGI, they're both running DSO and suEXEC is on, and they run as each account's username, instead of nobody. Why can't I get the same thing on this new server?

    Is it a new easyApache or something and now, the only way to avoid running as nobody is to add this suPHP?

    Does someone knows why it was possible before?

    What am I missing here?

    I'd appreciate anyone that could help me. Thank you!
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I recommend using the following command to verify if the PHP handler is actually configured as SuPHP and to verify if SuExec is also enabled:
    Code:
    # /usr/local/cpanel/bin/rebuild_phpconf --current
    Without direct access to the other systems it is impossible to know exactly what is taking place to trigger the behavior described using DSO.

    What exact method is being used to determine that things run as the applicable user accounts instead of as a shared system user ("nobody")?

    What are the exact processes being seen that are running as the individual user accounts?
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    What you describe is not possible unless you are running multiple instances of Apache each configured to chroot to the respective account logins which would use an enormous amount of resources and being impractical on anything other than a basic single site LAMP server.

    Outside of that, sounds like you might be misunderstanding your configuration and thinking that it is something which it is not ....

    phpSuExec (cgi) and SuPHP are both means to execute PHP scripts under the effective ID of the owner of the script being executed.

    DSO based PHP does not change user ID so you would be running all PHP scripts as the user your Apache web server is running as which is almost always "nobody" and sometimes more rarely "apache".

    Now one place to easily get confused is "SuExec" (not to be confused with phpSuExec) which is what allows standard CGI scripts (usually Perl based) to be executed as the effective ID of the owner of the script so it does for Perl what phpSuExec or SuPHP each do for PHP scripts.

    Hope that clears things up a bit ....

    Back to your underlying questions though, SuPHP would be the most ideal choice in terms of security and allowing scripts to run as the user owning the script instead of the Apache web server account user.
     
Loading...

Share This Page