Recommended PHP files owner for non-DSO

rinkleton

rinkleton

Well-Known Member
Jul 16, 2015
121
6
68
Cleveland
cPanel Access Level
Root Administrator
So I'm finally upgrading from DSO (to mod_lsapi). One of the nice things about DSO is that php files are owned by the account but php runs as 'nobody' which means if a php file becomes compromised (bad enough on it's own) it can't delete all the other php files or write something malicious to them.

So with a php handler than runs php as the account owner, is it recommended to have the owner of php files other than the account owner? Assuming all other normal security measures are met and the sites are well written, is this even something to worry about?
 
cPMelaniel

cPMelaniel

Technical Analyst Supervisor
Staff member
Jun 25, 2013
9
1
78
Houston,Tx
cPanel Access Level
Root Administrator
Security wise, it is likely better practice to have the PHP file owned as the user rather then nobody. While I understand the matter of scripts ran as nobody being limited, if you are using CloudLinux then you have actually already resolved this by putting the users in a caged environment.

While not enabled by default, lsapi also offers an option called "lsapi_target_perm":
CloudLinux Documentation

"Check target PHP script permissions. If set to On, lsapi will check that script is owned by the same user, as user under which it is being executed. Return 503 error if they don't match."

I'd probably go with throwing the users in cageFS, setting up the scripts to be owned by the user, and enforcing lsapi_target_perm. However you may want to review this further with your current needs and usage.
 
rinkleton

rinkleton

Well-Known Member
Jul 16, 2015
121
6
68
Cleveland
cPanel Access Level
Root Administrator
Yeah I have cageFS on and all that. But I'm not really worried about accounts affecting other accounts. The damage would always be limited to 1 account. But 'lsapi_target_perm' doesn't sound like it would protect the account from itself.... which is what I'm wondering if I even need to worry about. One bad php script could delete or modify all others on the account.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
rinkleton said:
One bad php script could delete or modify all others on the account.
Click to expand...
Hello,

A strong Mod_Security ruleset is useful to protect against the exploits themselves. You can search for the term "ModSecurity" on our forums to see a list of threads related to Mod_Security, including threads with ruleset discussion.

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
spaceman Wordfence plugin for WordPress still recommended if running csf on CloudLinux? Security 5
J What is recommended way to detect IP addresses that make junk httpd requests? Security 7
coursevector Recommended Shell Access setting Security 5
H Recommended CSF Configuration Security 5
splaquet recommended CSF block/allow settings Security 10
Similar threads
Wordfence plugin for WordPress still recommended if running csf on CloudLinux?
What is recommended way to detect IP addresses that make junk httpd requests?
Recommended Shell Access setting
Recommended CSF Configuration
recommended CSF block/allow settings
Top Bottom