Apache: how to run PHP files via CGI as normal user and without them being executable
3
votes
1
answer
3191
views
# Background
## Config of server I want to mimic
I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:
# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64
I believe
> exec whoami: myuser
> system whoami: myuser
> system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)
> getcurrentuser: myuser
## Behaviour I want to mimic This is true even if it lacks the executable permission, as follows: $ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9 -r-------- myuser myuser /home/myuser/public_html/public/whoami.php Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand [the documentation](https://httpd.apache.org/docs/2.4/howto/cgi.html) correctly: > Of course, the file will have to exist, **and be executable**, and return output in a particular way, or Apache will return an error message. However, cPanel/WHM seems to do *something* to alter this fact. According to the [WHM documentation](https://documentation.cpanel.net/display/EA4/PHP+Handlers) : > ## CGI > The CGI handler executes PHP applications through the
suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).
I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.
This server has a user, **myuser**, whose ~/public_html/public/ directory is used as the document root for the website **mywebsite.com**. (These are not the real names, obviously.)
If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix))) :
sapi_name:
exec whoami:
system whoami:
system id -a:
getcurrentuser:
and visit it in the browser athttp://mywebsite.com/whoami.php (note that this is *not* using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:
> sapi_name: cgi-fcgi> exec whoami: myuser
> system whoami: myuser
> system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)
> getcurrentuser: myuser
## Behaviour I want to mimic This is true even if it lacks the executable permission, as follows: $ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9 -r-------- myuser myuser /home/myuser/public_html/public/whoami.php Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand [the documentation](https://httpd.apache.org/docs/2.4/howto/cgi.html) correctly: > Of course, the file will have to exist, **and be executable**, and return output in a particular way, or Apache will return an error message. However, cPanel/WHM seems to do *something* to alter this fact. According to the [WHM documentation](https://documentation.cpanel.net/display/EA4/PHP+Handlers) : > ## CGI > The CGI handler executes PHP applications through the
mod_cgi or
> the mod_cgid Apache modules. If you install the suEXEC module, the
> system executes PHP applications as the user that owns the VirtualHost
> that served the request. If you uninstall the suEXEC module, the
> system executes PHP applications as the nobody system user. The system
> provides mod_cgi and mod_ruid2 by default.
>
> You can customize the CGI handler's settings in the PHP .user.ini
> file. [...]
>
>> ###Important:
>>
>> If you **enable** a per-user module, such as suEXEC or Ruid2, you can
>> execute PHP scripts with permissions of 0400. If you disable a
>> per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
>> with permissions of 0444.
I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.
# Questions
I have a different CentOS 7 machine, not routable from the internet, and for development only. It does *not* have cPanel/WHM installed. Security is **not** a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour **is** a priority for this machine: top priority.
1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the *something* alluded to above? I'm happy to compile Apache with non-standard [suEXEC configuration options](https://httpd.apache.org/docs/trunk/suexec.html#install) , if needed.
1. In particular, how can I do this while serving them *without* needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php )?
1. How would I do all this while *also* ensuring that those files are run by **myuser**, via suEXEC, rather than by the **apache** or **httpd** or **nobody** user?
If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)
Asked by user6860
Apr 28, 2018, 06:40 PM
Last activity: May 25, 2025, 09:02 AM
Last activity: May 25, 2025, 09:02 AM