The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpsuexec and permissions

Discussion in 'General Discussion' started by web12, Apr 7, 2003.

  1. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Ok,

    I am getting tired of these un-routable mails coming back to me all the time now, so i think I am going to have to bite the bullet and install phpsuexec. I did it on a test server and quickly realised that permissions on php files need to be 755 and that file ownership should also be correct a la username.

    So, just wanted to confirm before I do this on a live server... should I just issue the command chmod -R 755 /home/*.php to take care of the file permission, and then if anyone comes back to me with errors after that, go through and chown the files in their domains with chown -R username:username /home/username ?

    Just really want to check before i do this.

    thanks
     
  2. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Be careful, a few programs needs some config files to be 777, but use the php extension anyway...
     
  3. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Do you reckon the above would work then?

    I just want to be 100% sure before i do the deed.

    thanks
     
  4. dariofg2

    dariofg2 Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    You should try:

    Code:
    find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v 755
    -Dario
     
  5. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Hi Dario.
    Thanks for the reply. Could you explain the difference with doing it that way would make?

    thanks.
     
  6. dariofg2

    dariofg2 Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    chmod -R 755 /home/*.php

    won't have the desired effect. Before running chmod, the shell will replace /home/*.php with files or directories that end in *.php directly inside /home, not below any subdirectories.

    The command I described also searches for other PHP file extensions, like .php3, .php4 and .phtml. xargs is used to speed things up.

    -Dario
     
  7. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Wouldn't you be better with :

    find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v a+x



    ???

    a+x will set the exectute flag, but unlike 755, it won't remove the write flag when needed...
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    run

    /scripts/postsuexecinstall
    it will correct all suexec permission errors for 24 hours after its run right after they happen.
     
  9. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    No, it won't really fix the problem :

    here is an extract of the script :

    if($uid > 99 && $gid > 99) {
    print "Fixing permissions on $cgi....";
    chmod(0755,$cgi);
    print "Done\n";


    As you can see, it simply changes the permission to 0755, which doesn't fix the problem of scripts needing 777.

    Or 733 in some cases.
     
  10. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Thought I must admit that it only changes scripts that have problems, since it reads from the suexec log scripts which causes an error.

    But it still causes 24 hours of nightmare !

    User tickets, etc...
     
  11. dariofg2

    dariofg2 Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    I agree. You will get 24 hours of support tickets!

    As for setting 755 instead of a+x, universal write permissions on scripts make suexec error out.

    There is the problem of scripts running from directories with universal write permissions set. You would need a more complicated shell script to fix those, or rely on /scripts/postsuexecinstall...

    -Dario
     
  12. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    suexec isn't going to run a script with 777. You shouldn't need 777 if you are running suexec.
     
  13. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    You are right, I don't need 777.

    90% of the php will be 755
    10% will be 733.

    however, those who will be 777, will be used for reading and writing, not for executing.

    As such, setting the exec flag will do no harm, right ?
     
  14. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    You shouldn't need 733 (rwx,wx,wx) either. You should never have the write bit in the world field. If you are using suexec things run with the user's uid so they can read/write to files that are 755/700 etc
     
  15. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Oops...

    I didn't mean X+W

    I meant W+R !!!

    Sorry for the confusion...

    But indeed. if the file is 755, it should be read but only after the change for Suexec...
     
  16. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    BTW, it there an easy way to change the ownership of all the files ???

    I have, in the past, uploaded a few PHP files as ROOT, for a few users.

    I guess I will have to chown every user directory recursivly...
     
  17. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    wow. with so much uncertainty on this, has anyone actually integrated phpsuexec without any problems yet?

    The last thing I need is to go into this blind.
     
  18. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Heres a weird one.

    I did as previously instructed and bit the bullet and installed phpsuexec on one of the live servers... but now when i go to an oscommerce site I have this across the top of the page:-

    Warning: I am able to write to the configuration file: /home/domain/public_html/shop/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

    Any ideas what I should do with this?
     
  19. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    done that already, the message is still there, highlighted in red and at the very top of the page.
     
  20. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    I see another problem with this...

    What happens when somebody uses the feature in Cpanel to install oscommerce or Invisionboard... it will come up with a bunch of errors.. right?

    If the postsuexec script only runs for 24 hours, whats left to do then? This also applies to installers like fantastico also.
     
Loading...

Share This Page