The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ssl and suexec, nobody user not account user

Discussion in 'General Discussion' started by stephendwolff, Aug 10, 2008.

  1. stephendwolff

    stephendwolff Member

    Joined:
    Jul 20, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi there, I am trying to get a domain served via SSL using a specific user and group via apache.

    We have many websites being served using suexec with users and groups for the specific sites.

    Now when serving a new site using SSL, the files are being served as 'nobody', which is no use, as it means 777 permissions are needed for some of the scripts (it's an extranet).

    How can i change the user for the SSL site using CPanel? In the SSL/TLS area, under the Manage SSL Hosts section, the site is listed with 'nobody' as owner, but there is no option to change this! Is it possible via SSH to manually change this setting, and get Suexec working properly for the SSL account?

    Cpanel WHM version:
    WHM 11.23.2 cPanel 11.23.4-R26138
    CENTOS Enterprise 5 x86_64 on standard - WHM X v3.1.0

    Many thanks,

    Stephen
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The scripts you are running, are they PHP scripts by chance?
     
  3. stephendwolff

    stephendwolff Member

    Joined:
    Jul 20, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    The scripts are both PHP and CGI-BIN perl scripts - for a (German) commercial CMS called Weblication (our clients choice not ours!)
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Is SuPHP enabled on the server or are you running PHP as CGI or neither of the above?
     
  5. stephendwolff

    stephendwolff Member

    Joined:
    Jul 20, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Apache SuEXEC is shown as on under 'Service Configuration -> Configure PHP and SuExec'.

    Looking at the automatically generated apache http.conf - i can see that suexec is enabled for most vhosts. suphp may be enabled for the https site in question only. it has a config block:

    <IfModule mod_suphp.c>
    shPHP_UserGroup nobody nobody
    </IfModule>

    Although, i can't find a reference to mod_suphp anywhere else in the file
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Is the domain in question owned by a cPanel account or are you attempting to make an arbitrary system user owner of the domain?
     
  7. stephendwolff

    stephendwolff Member

    Joined:
    Jul 20, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    The domain (VHost) is set up using a CPanel account. This account user is used by SuEXEC to run scripts for the standard http (ie port 80) vhost, as for all other vhosts on the dedicated server.

    The account user is NOT used by CPanel for SuEXEC when setting up the https site. When adding an SSL certificate, a message is offered by CPanel saying that only certificates for the 'nobody' user are acceptable. This is pretty obviously no good in terms of security. (Unless there is another way to lock an HTTPS site down in terms of user)
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    To be clear:

    Are you attempting to install the SSL Certificate via cPanel or WHM?

    Could you post the exact message regarding the 'nobody' user that is displayed when attempting to install the SSL Certificate?
     
  9. stephendwolff

    stephendwolff Member

    Joined:
    Jul 20, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    We use a web based interface which has the following information at the top:

    WHM 11.23.2 cPanel 11.23.4-R26138
    CENTOS Enterprise 5 x86_64 on standard - WHM X v3.1.0

    it lives on port 2087 of our server. Not sure if this is CPanel or WHM - i'm guessing WHM - we weren't aware of another interface, so this is the one we installed the SSL certificate with.

    I can't get the exact message without reinstalling the certificate - ie disabling the site and removing, then installing - which i can't do without some warning to the client.

    The interface for installing the certificate had a space where a username could be entered. On hitting 'submit' (SSL/TLS -> Install a SSL Certificate and Setup the Domain), if anything but 'nobody' is in the User field, the installation of the certificate fails.
     
  10. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thank you for that information. We've recently improved a lot of this functionality (in CURRENT and EDGE at the moment) and I'll use what you provided during the testing and analysis.

    If the domain is truly owned by a cPanel account (e.g. the primary domain for an account, a subdomain added using the cPanel interface) then the SSL installer should use the cPanel account name, rather than nobody.

    Access via port 2087 is the WHM interface. Access via port 2083 is the cPanel interface.
     
    #10 cPanelKenneth, Aug 20, 2008
    Last edited: Aug 20, 2008
Loading...

Share This Page