Announcement

Collapse
No announcement yet.

Can cloudlinux apache run as user apache

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can cloudlinux apache run as user apache

    The above question is simplified. The real questions below at the end are much more complex. Note I dont have a linux server handy so I am relying on documentation and hence these questions.

    Background

    On other servers (and maybe cloudlinux) apache runs as the user apache (or nobody).

    If using mod_php (or one of the other php handlers without suexec or equivalent) all php files are executed as the user apache and this has security ramifications as in a non-caged system the user is able to read other users files etc. However the users own files cannot be overwritten or deleted or a file added if the permissions dont allow it. This has saved me on occasion when a hacker has managed to exploit a bug and tried to modify one of my websites files or add a file to a protected directory.

    The use of other php handlers with suexec or equivalent means the apache process effectively runs as the user and hence cant read other users file etc if their permissions dont allow it. However any hacker that succeeds in exploiting a bug can modify the users own files.

    For cloudlinux use of the cagefs system prevents users from seeing other users files. Thus simplistically it seems that if your running cagefs there is no need for apache to run as the user. And by running apache as the user apache you gain an extra layer of protection if your file and directory permissions are set appropriately.

    Modifications needed to run apache as apache

    The following is based on using the mod_lsapi php handler.

    1) According to documentation for mod_lsapi ((https://docs.cloudlinux.com/apache_mod_lsapi)https://(https://docs.cloudlinux.com...ache_mod_lsapi) this can be achieved for php files by modifying the default lsapi.conf as follows (note this hasnt been tested and may be incorrect):

    lsapi_use_suexec off

    #the following may be necessary for this to work
    lsapi_check_document_root off

    2) For cgi files (which I dont use) switch suexec off as follows:

    a) For cpanel ](https://docs.cloudlinux.com/apache_mod_lsapi)https://(https://help.myhosting.com/...XEC-and-suPHP)https://help.myhosting.com/hc/en-us/...EXEC-and-suPHP.

    b) Otherwise modify the virtual host configurations in vhost.conf or equivalent by disabling the SuexecUserGroup directive.

    <VirtualHost *:80>
    DocumentRoot "/home/example/public_html"
    ServerName example.com
    ServerAlias http://www.example.com
    #SuexecUserGroup example example
    ...
    </VirtualHost>

    3) Finally change the ownership and permissions of the files and directories that need to be read (or written) so that apache can read (or write to) them and in the case of cgi files execute them. You can do this by adding the needed permissions for the apache group and changing the group of the file to the apache group. The apache group may be "apache" or "nobody" depending on the server

    For example for the user "owner" and the group "apache" set the file permissions as follows.

    NB I realise that most of the people reading this forum are experts but this is for the odd novice.

    a) For files that need the read permission such as exampleFile.php

    exampleFile.php owner apache rw-r-----

    b) For cgi files that need the execute permission such as exampleFile.cgi

    exampleFile.cgi owner apache rwxr-x---

    c) For directories that need the read permission such as exampleDirectory

    exampleDirectory owner apache rwxr-x---

    d) For directories that need the write permission such as the following example uploadImageDirectory

    uploadImageDirectory owner apache rwxrwx---

    e) For files in the uploadImageDirectory that need the write permission such as uploadedImage.jpg

    uploadedImage.jpg owner apache rw-rw----

    Questions

    1) Do the above changes work or are other changes necessary to make them work as intended?

    With the above changes (and anything extra to make them work as intended):

    2) Does cagefs still work for PHP scripts (Documentation https://(https://help.myhosting.com/...XEC-and-suPHP)https://(https://docs.cloudlinux.com...nux.com/cagefs unclear)?
    3) Does cagefs still work for CGI scripts?
    4) Does LVE still work for PHP scripts (Documentation ](https://docs.cloudlinux.com/cagefs)https://docs.cloudlinux.com/limits/#...ibility-matrix unclear) ?
    5) Does LVE still work for CGI scripts (This could be connected https://(https://docs.cloudlinux.com...xec#reply-8443)?

    Thanks for your consideration of these questions.

    Cheers
    Andy](https://www.cloudlinux.com/forum/forum18/lsapi-cagefs-no-suexec#reply-8443)

  • #2
    Hello Andy! We are working on this issue.
    Get back to you later with a response.
    Thanks!

    Comment


    • #3
      Hello,
      When you set up PHP to run as Apache user, CageFS will not work for these PHP users. The same is true for CGI scripts.
      LVE will have limited support, for example, Memory limits will not work, but other limits can be set up to work with mod_hostinglimits:
      The following mod_hosting directives will be required to setup:
      LVEId
      LVEUser
      --

      Comment

      Working...
      X