The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

To suEXEC or not to suEXEC? That is the question.

Discussion in 'General Discussion' started by jols, Jun 14, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I am really confused here after reading through tons of posts.

    Now, I am not referring to phpsuEXEC, but just suEXEC which many say is a MUST for good security, however, take a look at this quote from http://httpd.apache.org/docs/1.3/suexec.html

    ---------
    Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC.
    ---------

    ... and this one from the same site:

    ---------
    Second, it is assumed you are familiar with some basic concepts of your computer's security and its administration. This involves an understanding of setuid/setgid operations and the various effects they may have on your system and its level of security.
    ---------

    Also, check out this post:
    http://forums.theplanet.com/lofiversion/index.php/t40851.html

    ...particularly this part:
    ---------
    IT IS ABSOLUTELY CRITICAL THAT YOU DISABLE SUEXEC MODULE!

    If you dont, people can simply execute files in /tmp as nobody, and create their own shell accounts on the box. neat huh?
    ---------

    Okay, so here is my question:

    If I go through WHM ---> Apache Update, and select all the usual modules per our needs but this time adding "suEXEC Module" WILL IT BE PROPERLY CONFIGURED?

    Another quesiton; Will this break any scripts that are already installed on this production server?

    Also, what exactly do I need to do regarding setuid/setgid? Should I change some config file somewhere on the server for setuid/setgid to tighten up security in this respect after enabling suEXEC?

    Thanks for any input here :confused: :confused: :confused:

    By the way, we are still at php 4.4.4. and I am getting into this whole thing wanting to upgrade to php 4.4.7

    P.S. We are up to - WHM 10.8.0 cPanel 10.9.0-R10737
     
    #1 jols, Jun 14, 2007
    Last edited: Jun 14, 2007
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    200
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Anyone?

    Is everyone else as stumped about this as I am?
     
  6. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Ummmm...d00d...the date on that post: Feb 2 2004, 03:45 AM

    It pays to do your research, but you also have to consider the source of that information.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    So what's changed since 2004?
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Everything has changed since 2004. In fact, if you re-read that post from theplanet you'll see other folks join in with comments, including some experienced sysadmins who say "suexec was not the reason you were hacked" -- and it wasn't. You're probably new to server admin and security at least to some extent or you wouldn't ask what's changed in 3 years - the answer is, nearly everything!

    Suexec as installed by WHM will work fine and will help your security a lot, don't hesitate. Those statements are old hangovers left in the doco, initially as a precaution against people blindly installing it and having problems due to something else stupid that they did then blaming the authors. I can't even think of a scenario where this might happen, and I haven't seen such a problem myself in 3 years on multiple servers.

    The statement made about /tmp is completely ridiculous as in fact the reverse is true; it's in fact true that WITHOUT Suxec someone can create files in /tmp (and read other people's files, more importantly).

    Cheers!
     
Loading...
Similar Threads - suEXEC suEXEC question
  1. vlee
    Replies:
    6
    Views:
    518
  2. glenn0
    Replies:
    4
    Views:
    292
  3. bilberh
    Replies:
    7
    Views:
    388

Share This Page