Recommended PHP files owner for non-DSO

rinkleton

Well-Known Member
Jul 16, 2015
108
4
68
Cleveland
cPanel Access Level
Root Administrator
So I'm finally upgrading from DSO (to mod_lsapi). One of the nice things about DSO is that php files are owned by the account but php runs as 'nobody' which means if a php file becomes compromised (bad enough on it's own) it can't delete all the other php files or write something malicious to them.

So with a php handler than runs php as the account owner, is it recommended to have the owner of php files other than the account owner? Assuming all other normal security measures are met and the sites are well written, is this even something to worry about?
 

cPMelaniel

Technical Analyst Supervisor
Staff member
Jun 25, 2013
9
1
78
Houston,Tx
cPanel Access Level
Root Administrator
Security wise, it is likely better practice to have the PHP file owned as the user rather then nobody. While I understand the matter of scripts ran as nobody being limited, if you are using CloudLinux then you have actually already resolved this by putting the users in a caged environment.

While not enabled by default, lsapi also offers an option called "lsapi_target_perm":
CloudLinux Documentation

"Check target PHP script permissions. If set to On, lsapi will check that script is owned by the same user, as user under which it is being executed. Return 503 error if they don't match."

I'd probably go with throwing the users in cageFS, setting up the scripts to be owned by the user, and enforcing lsapi_target_perm. However you may want to review this further with your current needs and usage.
 

rinkleton

Well-Known Member
Jul 16, 2015
108
4
68
Cleveland
cPanel Access Level
Root Administrator
Yeah I have cageFS on and all that. But I'm not really worried about accounts affecting other accounts. The damage would always be limited to 1 account. But 'lsapi_target_perm' doesn't sound like it would protect the account from itself.... which is what I'm wondering if I even need to worry about. One bad php script could delete or modify all others on the account.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
One bad php script could delete or modify all others on the account.
Hello,

A strong Mod_Security ruleset is useful to protect against the exploits themselves. You can search for the term "ModSecurity" on our forums to see a list of threads related to Mod_Security, including threads with ruleset discussion.

Thank you.