[solved] Cloudlinux PHP LSAPI "say no to suexec"

[mistwang]

set
http://www.litespeedtech.com/docs/we...tapps/#extUser
http://www.litespeedtech.com/docs/we...apps/#extGroup
for lsphp external app, it will be the user/group that all PHP running as.

[QuantumNet]

I had tried those before posting, also tried the forcegid option... it seems they work when in normal suexec mode, but they get ignored when in "CageFS without suxec" mode.

Interesting thing is they seem hard coded, the web server runs as
user: apache
group: apache

But when running in "CageFS without suxec" mode. The user and group becomes "nobody"

at it cannot be overidden

I tested this with:

<?php
$user = exec('/bin/id');
echo $user;
?>

[mistwang]

You need to set both user/group for external app, only set group wont work.

[QuantumNet]

Okay this might shed some light on the problem:

here is the output of test.php
uid=498(apache) gid=500(apache) groups=500(apache)


as you can see the "groups" only shows apache, so the suexec daemon is only picking up the primary group

now lets look at the output of command line:
$ id apache
uid=498(apache) gid=500(apache) groups=500(apache),505(secure)


so here is the problem, suexec daemon needs to pick up all groups it belongs to for secure access group to work correctly

[mistwang]

LSAPI 6.0 code has been updated to address this.
you need to rebuild PHP with latest php-lsapi-6.0 code.
Make sure to update /etc/group inside the cage.

[QuantumNet]

I installed lsapi 6 when I installed lsws 4.2

here is the output when logged into a user inside cagefs:

[root@sr1 ../php-5.3.x]# su - governme
[governme@sr1 ~]$ php -v
PHP 5.3.9 with Suhosin-Patch (cli) (built: Sep 20 2012 03:35:18)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with the ionCube PHP Loader v4.2.1, Copyright (c) 2002-2012, by ionCube Ltd., and
with Zend Guard Loader v3.3, Copyright (c) 1998-2010, by Zend Technologies
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH


[governme@sr1 ~]$ id apache
uid=498(apache) gid=500(apache) groups=500(apache),505(secure)


here is the output of test.php:
uid=498(apache) gid=500(apache) groups=500(apache)






see the groups still only has the apache group, it does not have the secondary group

[mistwang]

Quote:

I installed lsapi 6 when I installed lsws 4.2

lsapi 6 has been updated to address this issue, rebuild your PHP with lsapi 6 again.

[QuantumNet]

great works flawlessly... this is a revolution in security... makes suphp and standard suexec look like bandaids


thank you guys so much for this, it is a real game changer for the industry

[bettinz]

Hello,
Can someone post a guide about How to correctly enable cagefs without suexec?

If I already have a lot of sites with owner, How can I do that?
I mean: now I've suexec enabled, user john is the owner of john's website folder. If I enable cagefs without suexec, all the files become unwriteable, because litespeed run with user nobody.

How can I use this feature? Is this feature important about security and performance or can I keep suexec enabled?

Thank you

[NiteWave]

Quote:

Can someone post a guide about How to correctly enable cagefs without suexec?

the answer is at #9 reply in this thread.

Quote:

If I enable cagefs without suexec, all the files become unwriteable, because litespeed run with user nobody.

this is just the purpose of "cagefs without suexec" mode, it's just what some host need. please refer #7 reply in this thread for more detail.

Quote:

can I keep suexec enabled?

yes. there are 4 choices when set
lsws admin console->Server->General->Cloud Linux:
Disabled
LVE
CageFS
CageFS without suEXEC

generally in shared hosting environment, you should always enable php suExec.
and with this special combination:
LSWS 4.2 with PHP suEXEC daemon mode
+ CageFS without suEXEC

you can have php running as noboby for a user who enabled cageFS.