The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suexec + file permissions

Discussion in 'Security' started by gersonfs, Dec 23, 2010.

  1. gersonfs

    gersonfs Active Member

    Joined:
    Sep 30, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Like to understand why the CGI scripts on apache cpanel work with suexec,
    even if the binaries like /usr/local/cpanel/cgi-sys/php5 is the owner and
    different group of users' php files. Hear some modification in Suexec's source code?

    Thanks! And sorry the bad english.
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Using suEXEC allows executing programs as a different user, such as running CGI scripts as an individual cPanel user where the user and group match that of the user's files. I am not aware of any non-standard modifications in how suEXEC is used.

    To help me better understand the circumstances surrounding your inquiry, please provide the output from the following command, entered via root SSH access:
    Code:
    # /usr/local/cpanel/bin/rebuild_phpconf --current
     
  3. gersonfs

    gersonfs Active Member

    Joined:
    Sep 30, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Okay, but just to understand, I have no problem on the servers.
    But the current scheme violates safety rules determined by the apache suexec described on this page: suEXEC Support - Apache HTTP Server more precisely here:
    "18. Is the target user/group the same as the program's user/group?
    Is the user the owner of the file?"

    See:
    Code:
    [root@xxx ~]# /usr/local/cpanel/bin/rebuild_phpconf --current
    Available handlers: suphp fcgi cgi none
    DEFAULT PHP: 5
    PHP4 SAPI: none
    PHP5 SAPI: fcgi
    SUEXEC: enabled
    My php.conf:
    Code:
    Fcgid_module LoadModule modules / mod_fcgid.so
    MaxRequestsPerProcess 500
    AddHandler fcgid-script. php5. php4. php. php3. php2. phtml
    FCGIWrapper / usr/local/cpanel/cgi-sys/php5. php5
    FCGIWrapper / usr/local/cpanel/cgi-sys/php5. php4
    FCGIWrapper / usr/local/cpanel/cgi-sys/php5. php
    FCGIWrapper / usr/local/cpanel/cgi-sys/php5. php3
    FCGIWrapper / usr/local/cpanel/cgi-sys/php5. php2
    FCGIWrapper / usr/local/cpanel/cgi-sys/php5. phtml
    
    [root @ xxx~] # ls-la / usr/local/cpanel/cgi-sys/php5
    -rwxr-xr-x 1 [B]root wheel[/B] 18520861 Feb 17 2010 / usr/local/cpanel/cgi-sys/php5 *
    
    php5 owner is different from all php file owners...

    According to the apache documentation, it should not work. I wonder what was done to circumvent the security measures that the apache set.

    Thanks!
     
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The following files, setup when using FastCGI, are only wrappers that call the actual PHP binary:
    • /usr/local/cpanel/cgi-sys/php4
      Code:
      # cat /usr/local/cpanel/cgi-sys/php4
      #!/bin/sh
      
      # If you customize the contents of this wrapper script, place
      # a copy at /var/cpanel/conf/apache/wrappers/php4
      # so that it will be reinstalled when Apache is updated or the
      # PHP handler configuration is changed
      
      exec /usr/php4/bin/php
      
    • /usr/local/cpanel/cgi-sys/php5
      Code:
      # cat /usr/local/cpanel/cgi-sys/php5
      #!/bin/sh
      
      # If you customize the contents of this wrapper script, place
      # a copy at /var/cpanel/conf/apache/wrappers/php5
      # so that it will be reinstalled when Apache is updated or the
      # PHP handler configuration is changed
      
      exec /usr/bin/php
      

    I read the Apache documentation page mentioned, but I do not see any real problem nor any indication that security mechanisms are being circumvented.

    I believe the Apache document, suEXEC Support - Apache HTTP Server, may refer to more than one type of program. It is my understanding that, in the context used in the quoted item number 18, the "program" being referred to is that of the actual end-user's CGI or PHP script located within the user account's home directory (i.e., within the applicable document root of the virtual host being accessed). It is also my understanding that the end-user program is neither the PHP binary nor is it the PHP wrapper used in the FastCGI configuration.
     
    #4 cPanelDon, Dec 24, 2010
    Last edited: Dec 24, 2010
Loading...

Share This Page