Tweet
The above question is simplified. The real questions below at the end are much more complex. Note I dont have a linux server handy so I am relying on documentation and hence these questions.
Background
On other servers (and maybe cloudlinux) apache runs as the user apache (or nobody).
If using mod_php (or one of the other php handlers without suexec or equivalent) all php files are executed as the user apache and this has security ramifications as in a non-caged system the user is able to read other users files etc. However the users own files cannot be overwritten or deleted or a file added if the permissions dont allow it. This has saved me on occasion when a hacker has managed to exploit a bug and tried to modify one of my websites files or add a file to a protected directory.
The use of other php handlers with suexec or equivalent means the apache process effectively runs as the user and hence cant read other users file etc if their permissions dont allow it. However any hacker that succeeds in exploiting a bug can modify the users own files.
For cloudlinux use of the cagefs system prevents users from seeing other users files. Thus simplistically it seems that if your running cagefs there is no need for apache to run as the user. And by running apache as the user apache you gain an extra layer of protection if your file and directory permissions are set appropriately.
Modifications needed to run apache as apache
The following is based on using the mod_lsapi php handler.
1) According to documentation for mod_lsapi ((https://docs.cloudlinux.com/apache_mod_lsapi)https://(https://docs.cloudlinux.com...ache_mod_lsapi) this can be achieved for php files by modifying the default lsapi.conf as follows (note this hasnt been tested and may be incorrect):
lsapi_use_suexec off
#the following may be necessary for this to work
lsapi_check_document_root off
2) For cgi files (which I dont use) switch suexec off as follows:
a) For cpanel ](https://docs.cloudlinux.com/apache_mod_lsapi)https://(https://help.myhosting.com/...XEC-and-suPHP)https://help.myhosting.com/hc/en-us/...EXEC-and-suPHP.
b) Otherwise modify the virtual host configurations in vhost.conf or equivalent by disabling the SuexecUserGroup directive.
<VirtualHost *:80>
DocumentRoot "/home/example/public_html"
ServerName example.com
ServerAlias http://www.example.com
#SuexecUserGroup example example
...
</VirtualHost>
3) Finally change the ownership and permissions of the files and directories that need to be read (or written) so that apache can read (or write to) them and in the case of cgi files execute them. You can do this by adding the needed permissions for the apache group and changing the group of the file to the apache group. The apache group may be "apache" or "nobody" depending on the server
For example for the user "owner" and the group "apache" set the file permissions as follows.
NB I realise that most of the people reading this forum are experts but this is for the odd novice.
a) For files that need the read permission such as exampleFile.php
exampleFile.php owner apache rw-r-----
b) For cgi files that need the execute permission such as exampleFile.cgi
exampleFile.cgi owner apache rwxr-x---
c) For directories that need the read permission such as exampleDirectory
exampleDirectory owner apache rwxr-x---
d) For directories that need the write permission such as the following example uploadImageDirectory
uploadImageDirectory owner apache rwxrwx---
e) For files in the uploadImageDirectory that need the write permission such as uploadedImage.jpg
uploadedImage.jpg owner apache rw-rw----
Questions
1) Do the above changes work or are other changes necessary to make them work as intended?
With the above changes (and anything extra to make them work as intended):
2) Does cagefs still work for PHP scripts (Documentation https://(https://help.myhosting.com/...XEC-and-suPHP)https://(https://docs.cloudlinux.com...nux.com/cagefs unclear)?
3) Does cagefs still work for CGI scripts?
4) Does LVE still work for PHP scripts (Documentation ](https://docs.cloudlinux.com/cagefs)https://docs.cloudlinux.com/limits/#...ibility-matrix unclear) ?
5) Does LVE still work for CGI scripts (This could be connected https://(https://docs.cloudlinux.com...xec#reply-8443)?
Thanks for your consideration of these questions.
Cheers
Andy](https://www.cloudlinux.com/forum/forum18/lsapi-cagefs-no-suexec#reply-8443)
Background
On other servers (and maybe cloudlinux) apache runs as the user apache (or nobody).
If using mod_php (or one of the other php handlers without suexec or equivalent) all php files are executed as the user apache and this has security ramifications as in a non-caged system the user is able to read other users files etc. However the users own files cannot be overwritten or deleted or a file added if the permissions dont allow it. This has saved me on occasion when a hacker has managed to exploit a bug and tried to modify one of my websites files or add a file to a protected directory.
The use of other php handlers with suexec or equivalent means the apache process effectively runs as the user and hence cant read other users file etc if their permissions dont allow it. However any hacker that succeeds in exploiting a bug can modify the users own files.
For cloudlinux use of the cagefs system prevents users from seeing other users files. Thus simplistically it seems that if your running cagefs there is no need for apache to run as the user. And by running apache as the user apache you gain an extra layer of protection if your file and directory permissions are set appropriately.
Modifications needed to run apache as apache
The following is based on using the mod_lsapi php handler.
1) According to documentation for mod_lsapi ((https://docs.cloudlinux.com/apache_mod_lsapi)https://(https://docs.cloudlinux.com...ache_mod_lsapi) this can be achieved for php files by modifying the default lsapi.conf as follows (note this hasnt been tested and may be incorrect):
lsapi_use_suexec off
#the following may be necessary for this to work
lsapi_check_document_root off
2) For cgi files (which I dont use) switch suexec off as follows:
a) For cpanel ](https://docs.cloudlinux.com/apache_mod_lsapi)https://(https://help.myhosting.com/...XEC-and-suPHP)https://help.myhosting.com/hc/en-us/...EXEC-and-suPHP.
b) Otherwise modify the virtual host configurations in vhost.conf or equivalent by disabling the SuexecUserGroup directive.
<VirtualHost *:80>
DocumentRoot "/home/example/public_html"
ServerName example.com
ServerAlias http://www.example.com
#SuexecUserGroup example example
...
</VirtualHost>
3) Finally change the ownership and permissions of the files and directories that need to be read (or written) so that apache can read (or write to) them and in the case of cgi files execute them. You can do this by adding the needed permissions for the apache group and changing the group of the file to the apache group. The apache group may be "apache" or "nobody" depending on the server
For example for the user "owner" and the group "apache" set the file permissions as follows.
NB I realise that most of the people reading this forum are experts but this is for the odd novice.
a) For files that need the read permission such as exampleFile.php
exampleFile.php owner apache rw-r-----
b) For cgi files that need the execute permission such as exampleFile.cgi
exampleFile.cgi owner apache rwxr-x---
c) For directories that need the read permission such as exampleDirectory
exampleDirectory owner apache rwxr-x---
d) For directories that need the write permission such as the following example uploadImageDirectory
uploadImageDirectory owner apache rwxrwx---
e) For files in the uploadImageDirectory that need the write permission such as uploadedImage.jpg
uploadedImage.jpg owner apache rw-rw----
Questions
1) Do the above changes work or are other changes necessary to make them work as intended?
With the above changes (and anything extra to make them work as intended):
2) Does cagefs still work for PHP scripts (Documentation https://(https://help.myhosting.com/...XEC-and-suPHP)https://(https://docs.cloudlinux.com...nux.com/cagefs unclear)?
3) Does cagefs still work for CGI scripts?
4) Does LVE still work for PHP scripts (Documentation ](https://docs.cloudlinux.com/cagefs)https://docs.cloudlinux.com/limits/#...ibility-matrix unclear) ?
5) Does LVE still work for CGI scripts (This could be connected https://(https://docs.cloudlinux.com...xec#reply-8443)?
Thanks for your consideration of these questions.
Cheers
Andy](https://www.cloudlinux.com/forum/forum18/lsapi-cagefs-no-suexec#reply-8443)
Comment