<?php echo `whoami`; ?>
So this is returning 'root' and I don't know how to prevent it. I'm using WebHost Manager / CPanel which is supposed to create multiple users/vhosts and have Apache spawn it's process as that user/group. This isn't happening.
If I login to WHM and open the PHP and SuExec Configuration section, my settings are:
Default PHP Version (.php files) 5
PHP 5 Handler cgi
PHP 4 Handler none
Apache suEXEC on
What's wrong? How can I get Apache to run as the correct user rather than root?
-
Apache itself is most probably running as the apache user but thanks to SuExec, PHP scripts that are owned by root will run as root. That is why your
whoamicommand returns the root user.If you change the owner of the files in your document root to be "apache" or "www-data" (whichever one your server uses) then that same command will return the new owner of the file.
It's probably also worthwhile making sure that all of your PHP scripts are
chmod 555and directories are not owned by the same user as the files. This will allow CGI to execute the scripts but will mean that if a flaw is ever found in one of the PHP scripts it won't be able to modify itself or any of the other scripts and it won't be able to create a new script in any of the directories. There are still plenty of things an attacker could do if they found a flaw in a PHP script but anything you can do to make it harder for them is worthwhile.From Ladadadada -
If you want each site to be running as it's own user, the correct PHP 5 Handler setting is 'suPHP' rather than 'CGI'. Once you change this you should see that your
whoamireports the individual users.Note that you may have to run EasyApache and select "Mod SuPHP" during that process to recompile Apache / PHP for this option to be available first. This is done under:
Main >> Software >> EasyApache (Apache Update) or on the command line
/scripts/easyapacheFrom Dave Forgac
0 comments:
Post a Comment