Support

DoM · #1 08-05-2011, 06:42 AM

Hello,
we notice when upgrade to 4.1.3 that with a shell php we can see into other cpanel account public_html dir.

php is 5.3.6 and suphp or cgi is enabled.

What we have to do in order to prevent this ?

Waiting for your reply

Regards

mistwang · #2 08-05-2011, 07:00 AM

Can you check which user ID that shell PHP run as ? add "id" output.
It should run as user ID of a account that the PHP script belongs to when PHP suEXEC is enabled.
However, if it is "nobody", then just like web server process, it could read files from all accounts.

DoM · #3 08-05-2011, 07:04 AM

id is cpanel user id

Waiting for your reply

Regards

DoM · #4 08-05-2011, 08:00 AM

I also find another issue:

if perms of public_html are 750, no security problem anymore BUT some websites, shows error 404 instead of showing web page.

If perms of public_html are 755 everything works but there are security problems.

Waiting for your reply

Regards

mistwang · #5 08-05-2011, 08:04 AM

you need to check the permission of public_html folder then.
It should be owned by "user:nobody" with permission mask of "0750", only user and nobody group can access anything under public_html.

mistwang · #6 08-05-2011, 08:09 AM

maybe you were not running LiteSpeed as nobody user, you may need to reinstall litespeed if that is the case.
The permission mask has to be 0750, you need to figure out what else causes the 404 error.

DoM · #7 08-05-2011, 08:32 AM

As you can see litespeed is running as nobody user:

ps axuw |grep -i lite
root 700747 1.7 0.6 78616 50276 ? S< 17:27 0:04 litespeed (lshttpd)
nobody 700920 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
nobody 700923 0.6 0.6 96944 50124 ? S<l 17:28 0:01 litespeed (lshttpd)
nobody 700926 4.4 1.2 149336 99292 ? S<l 17:28 0:09 litespeed (lshttpd)
nobody 700927 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
nobody 700928 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
nobody 700929 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
nobody 700938 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
nobody 700941 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
root 704522 1.0 0.0 61196 852 pts/1 S+ 17:31 0:00 grep -i lite

Perms right now are 750 but still receive 404 error also if webpage exists.

Waiting for your reply

Regards

mistwang · #8 08-05-2011, 09:11 AM

You should only change permission of public_html, files and directories under it should be world readable.

DoM · #9 08-05-2011, 10:06 AM

No way as you can see in next log.

public_html has permissions 750.

Index.php 644
.htaccess 644

This is litespeed error:

2011-08-05 19:03:08.923 [ERROR] [HTAccess] Failed to open [/home/xxxxxxxx/public_html/.htaccess]: Permission denied
2011-08-05 19:03:09.041 [NOTICE] [y.y.y.y:51880-0#APVH_xxxxxxxx.xx] [STDERR] PHP Warning: opendir(/home/xxxxxxxx/public_html/) [<a href='function.opendir'>function.opendir</a>]: failed to op
en dir: Permission denied in /usr/local/lib/php/autoindex/default.php on line 136

Waiting for your reply

Regards

DoM · #10 08-05-2011, 10:25 AM

Issue is resolved.

public_html group was cPanel account group and not nobody.

Setting to nobody group everything works.

Best regards