Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recommended PHP files owner for non-DSO

Discussion in 'Security' started by rinkleton, Oct 20, 2016.

  1. rinkleton

    rinkleton Well-Known Member

    Joined:
    Jul 16, 2015
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    So I'm finally upgrading from DSO (to mod_lsapi). One of the nice things about DSO is that php files are owned by the account but php runs as 'nobody' which means if a php file becomes compromised (bad enough on it's own) it can't delete all the other php files or write something malicious to them.

    So with a php handler than runs php as the account owner, is it recommended to have the owner of php files other than the account owner? Assuming all other normal security measures are met and the sites are well written, is this even something to worry about?
     
  2. cPMelaniel

    cPMelaniel Technical Analyst Supervisor
    Staff Member

    Joined:
    Jun 25, 2013
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    78
    Location:
    Houston,Tx
    cPanel Access Level:
    Root Administrator
    Security wise, it is likely better practice to have the PHP file owned as the user rather then nobody. While I understand the matter of scripts ran as nobody being limited, if you are using CloudLinux then you have actually already resolved this by putting the users in a caged environment.

    While not enabled by default, lsapi also offers an option called "lsapi_target_perm":
    CloudLinux Documentation

    "Check target PHP script permissions. If set to On, lsapi will check that script is owned by the same user, as user under which it is being executed. Return 503 error if they don't match."

    I'd probably go with throwing the users in cageFS, setting up the scripts to be owned by the user, and enforcing lsapi_target_perm. However you may want to review this further with your current needs and usage.
     
  3. rinkleton

    rinkleton Well-Known Member

    Joined:
    Jul 16, 2015
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    Yeah I have cageFS on and all that. But I'm not really worried about accounts affecting other accounts. The damage would always be limited to 1 account. But 'lsapi_target_perm' doesn't sound like it would protect the account from itself.... which is what I'm wondering if I even need to worry about. One bad php script could delete or modify all others on the account.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    A strong Mod_Security ruleset is useful to protect against the exploits themselves. You can search for the term "ModSecurity" on our forums to see a list of threads related to Mod_Security, including threads with ruleset discussion.

    Thank you.
     
Loading...

Share This Page