[Solved] shell php

Discussion in 'Install/Configuration' started by DoM, Aug 5, 2011.

  1. DoM

    DoM New Member

    Hello,
    we notice when upgrade to 4.1.3 that with a shell php we can see into other cpanel account public_html dir.

    php is 5.3.6 and suphp or cgi is enabled.

    What we have to do in order to prevent this ?


    Waiting for your reply

    Regards
  2. mistwang

    mistwang LiteSpeed Staff

    Can you check which user ID that shell PHP run as ? add "id" output.
    It should run as user ID of a account that the PHP script belongs to when PHP suEXEC is enabled.
    However, if it is "nobody", then just like web server process, it could read files from all accounts.
  3. DoM

    DoM New Member

    id is cpanel user id

    Waiting for your reply


    Regards
  4. DoM

    DoM New Member

    I also find another issue:

    if perms of public_html are 750, no security problem anymore BUT some websites, shows error 404 instead of showing web page.

    If perms of public_html are 755 everything works but there are security problems.


    Waiting for your reply

    Regards
  5. mistwang

    mistwang LiteSpeed Staff

    you need to check the permission of public_html folder then.
    It should be owned by "user:nobody" with permission mask of "0750", only user and nobody group can access anything under public_html.
  6. mistwang

    mistwang LiteSpeed Staff

    maybe you were not running LiteSpeed as nobody user, you may need to reinstall litespeed if that is the case.
    The permission mask has to be 0750, you need to figure out what else causes the 404 error.
  7. DoM

    DoM New Member

    As you can see litespeed is running as nobody user:

    ps axuw |grep -i lite
    root 700747 1.7 0.6 78616 50276 ? S< 17:27 0:04 litespeed (lshttpd)
    nobody 700920 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
    nobody 700923 0.6 0.6 96944 50124 ? S<l 17:28 0:01 litespeed (lshttpd)
    nobody 700926 4.4 1.2 149336 99292 ? S<l 17:28 0:09 litespeed (lshttpd)
    nobody 700927 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
    nobody 700928 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
    nobody 700929 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
    nobody 700938 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
    nobody 700941 0.6 0.6 96864 50096 ? S<l 17:28 0:01 litespeed (lshttpd)
    root 704522 1.0 0.0 61196 852 pts/1 S+ 17:31 0:00 grep -i lite


    Perms right now are 750 but still receive 404 error also if webpage exists.

    Waiting for your reply


    Regards
  8. mistwang

    mistwang LiteSpeed Staff

    You should only change permission of public_html, files and directories under it should be world readable.
  9. DoM

    DoM New Member

    No way as you can see in next log.

    public_html has permissions 750.

    Index.php 644
    .htaccess 644

    This is litespeed error:

    2011-08-05 19:03:08.923 [ERROR] [HTAccess] Failed to open [/home/xxxxxxxx/public_html/.htaccess]: Permission denied
    2011-08-05 19:03:09.041 [NOTICE] [y.y.y.y:51880-0#APVH_xxxxxxxx.xx] [STDERR] PHP Warning: opendir(/home/xxxxxxxx/public_html/) [<a href='function.opendir'>function.opendir</a>]: failed to op
    en dir: Permission denied in /usr/local/lib/php/autoindex/default.php on line 136


    Waiting for your reply

    Regards
  10. DoM

    DoM New Member

    Issue is resolved.

    public_html group was cPanel account group and not nobody.

    Setting to nobody group everything works.


    Best regards

Share This Page