LSAPI_CAGEFS_NO_SUEXEC

abc2000x2000

Member

Join Date: Mar 2021

Posts: 44
- Share
- Tweet
#1

LSAPI_CAGEFS_NO_SUEXEC

07-02-2019, 10:43 AM

lsapi supports some features of cagefs I dont see in use with in cloudlinux. Specifically LSAPI_CAGEFS_NO_SUEXEC which I set with env variable LSAPI_LVE_ENABLE=3

This is useful to drop privs of php running on an account on specific folders. For instance I can drop wordpress sites permissions to run as the apache user (nobody) for all folders except wp-admin and keep them with in cagefs. This allows functions in wp-admin to work easily as users expect and add a bit more security to wordpress sites by not allowing permissions for write access unless logged in.
Tags: None
skhristich

Senior Member

Join Date: Nov 2019

Posts: 595
- Share
- Tweet
#2

07-02-2019, 02:47 PM

Hello John! Thank you for reaching out.
If you give the opportunity to run PHP scripts from the user Apache (nobody), then there is a high probability that your server will be subject to ddos attack. The processes that run from under the user Apache (nobody) are not placed in LVE and for them, the limits for entry processes are not considered, so these domains will be able to use all existing Apache workers, which makes it inoperative. In suexec mode, each account has its own entry processes limit, so having reached its limit, the server will continue its normal operation for the remaining accounts.
Comment

Announcement