Running litespeed as cPanel user - security issue?

[midwestE]

In shared hosting environments where the web server runs as the same user that owns the web files, I see a security issue.

My hosting provider runs WHM, Cpanel, Cloudlinux and Litespeed. Web files uploaded from SFTP are owner:group of the cpanel owner.

Example using Drupal:

-r--r--r--  1 nonyabid nonyabid   6604 Aug 28 15:04 authorize.php
-r--r--r--  1 nonyabid nonyabid 114096 Aug 28 15:04 CHANGELOG.txt
-r--r--r--  1 nonyabid nonyabid   1481 Aug 28 15:04 COPYRIGHT.txt
-r--r--r--  1 nonyabid nonyabid    720 Aug 28 15:04 cron.php
-r--r--r--  1 nonyabid nonyabid    102 Aug 28 15:04 .drush-lock-update
-r--r--r--  1 nonyabid nonyabid    317 Aug 28 15:04 .editorconfig
-r--r--r--  1 nonyabid nonyabid    662 Aug 28 15:04 .gitignore
-r--r--r--  1 nonyabid nonyabid   6551 Aug 28 15:04 .htaccess

• The litespeed server runs as user "nonyabid"
• To secure the codebase, since the webserver is the "owner" and to prevent a bug in a drupal module from allowing write access to webfiles, owner must be set to R only as above
• With this configuration, files cannot published easily without changing the permissions first to allow owner RW

IMO the web server should run as a different user & group, and the file group ownership should be the webservers user group. Then access can be set as -rw-r--r--, allow for modification by the owner, and PREVENT modification by the web server.

What am I missing here? Why would the web server run as the same user as the file owner?

 

[Henry Carter]

Hi,

On Cpanel servers, if we enable PHP suEXEC for shared hosting (each user has their own account uid/gid). then no need to chown. Do you host more sites on this user account "nonyabid" ?

 

[midwestE]

Hi,

On Cpanel servers, if we enable PHP suEXEC for shared hosting (each user has their own account uid/gid). then no need to chown. Do you host more sites on this user account "nonyabid" ?

There will be more sites on this account, currently though there is only one.

The problem comes from the fact that running the webserver as the user that owns the files presents an issue. Say for instance that a drupal module has a security flaw that allows a anonymous user to exploit the code and write files to webroot (or subdirectories). This allows the anonymous user to write files into the web directory that can allow them to execute code that was uploaded to give them even more access or compromise the files/data.

To prevent this, the web server should never be able to have permission to write files to the webroot. Then, even if a code exploit exists, the webserver can't write files to the codebase.

 

[midwestE]

I think this issue could be solved by making the web server run as the group owner, then giving -rw-r--r-- would allow the user to modify, and the group could not

 

[LitespeedLucas]

Hi @midwestE

When you install LiteSpeed on a cPanel server it will be installed to match the user:group nobody:nobody. You can easily verify this by going into your LiteSpeed Web Console (port :7080), then go to Configuration -> Server -> General - here you'll see "Running As" under the "Server Process" section.

On the same page, you'll also have a section called "Using Apache Configuration File" section, here you'll see "PHP suEXEC", this is likely set to "Yes" - if that's the case, then PHP processes spawned by the webserver will be running under suexec, so using the user:group of the given VirtualHost (matching the cPanel user owning the domain) - you can check the user:group that will be used in the /etc/apache2/conf/httpd.conf, the suexec setting you'll be looking for is SuexecUserGroup.

From a file-ownership perspective, you'd want to run 755 for directories and 644 for files, for example, this is perfectly secure.

 

[cPanelLauren]

Thanks @LitespeedLucas for the the explanation.

@midwestE let us know if you have any further questions/concerns.