# Background ## Config of server I want to mimic I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration: # /usr/local/cpanel/bin/rebuild_phpconf --current DEFAULT PHP: ea-php56 ea-php55 SAPI: cgi ea-php56 SAPI: cgi ea-php70 SAPI: cgi # rpm -qa|grep ruid2 # rpm -qa|grep suexec ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64 I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec). I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled. This server has a user, **myuser**, whose ~/public_html/public/ directory is used as the document root for the website **mywebsite.com**. (These are not the real names, obviously.) If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix))) :

sapi_name:

exec whoami:

system whoami:

system id -a:

getcurrentuser:

and visit it in the browser at http://mywebsite.com/whoami.php (note that this is *not* using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as: > sapi_name: cgi-fcgi
> exec whoami: myuser
> system whoami: myuser
> system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)
> getcurrentuser: myuser
## Behaviour I want to mimic This is true even if it lacks the executable permission, as follows: $ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9 -r-------- myuser myuser /home/myuser/public_html/public/whoami.php Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand [the documentation](https://httpd.apache.org/docs/2.4/howto/cgi.html) correctly: > Of course, the file will have to exist, **and be executable**, and return output in a particular way, or Apache will return an error message. However, cPanel/WHM seems to do *something* to alter this fact. According to the [WHM documentation](https://documentation.cpanel.net/display/EA4/PHP+Handlers) : > ## CGI > The CGI handler executes PHP applications through the mod_cgi or > the mod_cgid Apache modules. If you install the suEXEC module, the > system executes PHP applications as the user that owns the VirtualHost > that served the request. If you uninstall the suEXEC module, the > system executes PHP applications as the nobody system user. The system > provides mod_cgi and mod_ruid2 by default. > > You can customize the CGI handler's settings in the PHP .user.ini > file. [...] > >> ###Important: >> >> If you **enable** a per-user module, such as suEXEC or Ruid2, you can >> execute PHP scripts with permissions of 0400. If you disable a >> per-user module, such as suEXEC or Ruid2, you can execute PHP scripts >> with permissions of 0444. I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files. # Questions I have a different CentOS 7 machine, not routable from the internet, and for development only. It does *not* have cPanel/WHM installed. Security is **not** a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour **is** a priority for this machine: top priority. 1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the *something* alluded to above? I'm happy to compile Apache with non-standard [suEXEC configuration options](https://httpd.apache.org/docs/trunk/suexec.html#install) , if needed. 1. In particular, how can I do this while serving them *without* needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php )? 1. How would I do all this while *also* ensuring that those files are run by **myuser**, via suEXEC, rather than by the **apache** or **httpd** or **nobody** user? If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)

I'm trying to get a chrooted Apache environment working running mod_fcgid with suexec. Looking at suexec log inside jail, the wrapper scripts are being executed with no problems, however, when I look at Apache's error log I'm seeing the errors below; suexec failure: could not open log file fopen: Permission denied suexec.log; When I strace both php and suexec, they do not complain about any missing library or file. The log says "could not open log file" but it obviously logs into the error log file inside the jail. What's wrong with this setup? What may trigger this error? edit : strace results; [pid 9912] rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER|SA_INTERRUPT, 0x7fca687fe500}, {SIG_DFL, [], 0}, 8) = 0 [pid 9912] chdir("/var/www/username/cgi-bin/") = 0 [pid 9912] execve("/usr/sbin/suexec", ["/usr/sbin/suexec", "500", "500", "php-fcgi-starter"], [/* 1 var */]) = 0 [pid 9912] brk(0) = 0x7f2d71e91000 [pid 9912] fcntl(0, F_GETFD) = 0 [pid 9912] fcntl(1, F_GETFD) = 0 [pid 9912] fcntl(2, F_GETFD) = 0 [pid 9912] access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f2000 [pid 9912] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) [pid 9912] open("/etc/ld.so.cache", O_RDONLY) = 3 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=13704, ...}) = 0 [pid 9912] mmap(NULL, 13704, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f2d715ee000 [pid 9912] close(3) = 0 [pid 9912] open("/lib64/libc.so.6", O_RDONLY) = 3 [pid 9912] read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355\1\0\0\0\0\0"..., 832) = 832 [pid 9912] fstat(3, {st_mode=S_IFREG|0755, st_size=1916568, ...}) = 0 [pid 9912] mmap(NULL, 3745960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2d71041000 [pid 9912] mprotect(0x7f2d711cb000, 2093056, PROT_NONE) = 0 [pid 9912] mmap(0x7f2d713ca000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x189000) = 0x7f2d713ca000 [pid 9912] mmap(0x7f2d713cf000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f2d713cf000 [pid 9912] close(3) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f9000 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715ed000 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715ec000 [pid 9912] arch_prctl(ARCH_SET_FS, 0x7f2d715ed700) = 0 [pid 9912] mprotect(0x7f2d713ca000, 16384, PROT_READ) = 0 [pid 9912] mprotect(0x7f2d715f3000, 4096, PROT_READ) = 0 [pid 9912] munmap(0x7f2d715ee000, 13704) = 0 [pid 9912] brk(0) = 0x7f2d71e91000 [pid 9912] brk(0x7f2d71eb2000) = 0x7f2d71eb2000 [pid 9912] getuid() = 48 [pid 9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 [pid 9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) [pid 9912] close(3) = 0 [pid 9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 [pid 9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) [pid 9912] close(3) = 0 [pid 9912] open("/etc/nsswitch.conf", O_RDONLY) = 3 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000 [pid 9912] read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1688 [pid 9912] read(3, "", 4096) = 0 [pid 9912] close(3) = 0 [pid 9912] munmap(0x7f2d715f1000, 4096) = 0 [pid 9912] open("/etc/ld.so.cache", O_RDONLY) = 3 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=13704, ...}) = 0 [pid 9912] mmap(NULL, 13704, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f2d715ee000 [pid 9912] close(3) = 0 [pid 9912] open("/lib64/libnss_files.so.2", O_RDONLY) = 3 [pid 9912] read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832 [pid 9912] fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0 [pid 9912] mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2d70e33000 [pid 9912] mprotect(0x7f2d70e3f000, 2097152, PROT_NONE) = 0 [pid 9912] mmap(0x7f2d7103f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f2d7103f000 [pid 9912] close(3) = 0 [pid 9912] mprotect(0x7f2d7103f000, 4096, PROT_READ) = 0 [pid 9912] munmap(0x7f2d715ee000, 13704) = 0 [pid 9912] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 [pid 9912] fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000 [pid 9912] read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 952 [pid 9912] close(3) = 0 [pid 9912] munmap(0x7f2d715f1000, 4096) = 0 [pid 9912] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000 [pid 9912] read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 952 [pid 9912] close(3) = 0 [pid 9912] munmap(0x7f2d715f1000, 4096) = 0 [pid 9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 [pid 9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) [pid 9912] close(3) = 0 [pid 9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 [pid 9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) [pid 9912] close(3) = 0 [pid 9912] open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000 [pid 9912] read(3, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 520 [pid 9912] close(3) = 0 [pid 9912] munmap(0x7f2d715f1000, 4096) = 0 [pid 9912] open("/var/log/httpd/suexec.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = 3 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=17043, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000 [pid 9912] fstat(3, {st_mode=S_IFREG|0644, st_size=17043, ...}) = 0 [pid 9912] lseek(3, 17043, SEEK_SET) = 17043 [pid 9912] gettimeofday({1371690955, 897472}, NULL) = 0 [pid 9912] open("/etc/localtime", O_RDONLY) = 4 [pid 9912] fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0 [pid 9912] fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f0000 [pid 9912] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2102 [pid 9912] lseek(4, -1337, SEEK_CUR) = 765 [pid 9912] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 1337 [pid 9912] close(4) = 0 [pid 9912] munmap(0x7f2d715f0000, 4096) = 0 [pid 9912] write(3, "[2013-06-20 03:15:55]: uid: (500"..., 77) = 77 [pid 9912] setgid(500) = 0 [pid 9912] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 9912] open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 [pid 9912] fstat(4, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0 [pid 9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f0000 [pid 9912] lseek(4, 0, SEEK_CUR) = 0 [pid 9912] read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 520 [pid 9912] read(4, "", 4096) = 0 [pid 9912] close(4) = 0 [pid 9912] munmap(0x7f2d715f0000, 4096) = 0 [pid 9912] setgroups(1, ) = 0 [pid 9912] setuid(500) = 0 [pid 9912] getcwd("/var/www/username/cgi-bin", 4096) = 22 [pid 9912] chdir("/var/www") = 0 [pid 9912] getcwd("/var/www", 4096) = 9 [pid 9912] chdir("/var/www/username/cgi-bin") = 0 [pid 9912] lstat("/var/www/username/cgi-bin", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 [pid 9912] lstat("php-fcgi-starter", {st_mode=S_IFREG|0755, st_size=128, ...}) = 0 [pid 9912] close(3) = 0 [pid 9912] munmap(0x7f2d715f1000, 4096) = 0 [pid 9912] execve("php-fcgi-starter", ["php-fcgi-starter"], [/* 1 var */]) = -1 ENOENT (No such file or directory) [pid 9912] open("/var/log/httpd/suexec.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied) [pid 9912] write(2, "suexec failure: could not open l"..., 40) = 40 [pid 9912] write(2, "fopen: Permission denied\n", 25) = 25 [pid 9912] exit_group(1) = ? the last ~20 lines is where the server throws the error.

I cannot find a working, modern configuration to resolve this. I'm using Debian 10 and installed Apache 2. I have dozens of users, so I enabled userdir. I do not want their code to run as www-data, so I enabled suexec, which works for Python or Perl (AddHandler cgi-script .pl .py is enough), but I cannot do this for PHP. Is there a way to handle this with standard mod_php from Apache, suexec-like with userdir? If not, I read that PHP FPM is a CGI server, which can be used by Apache by proxy module, which can proxy PHP to this CGI, but in the php-fpm.conf I only can set a single user for this. Is there a way to run PHP web script as a user that owns the script, like suexec is doing, together with userdir?

I'm not sure why, but when I try to start the httpd service, it will not start. Server config: OS: CentOS 5.10 PHP: 5.5.7 Apache: 2.2.3 1. I built mod_fcgid from source, put it into the /etc/httpd/modules directory. 2. I appended LoadModule fcgid_module modules/mod_fcgid.so to the list of modules 3. I commented out LoadModule cgi_module modules/mod_cgi.so since I will not need it. 4. I created a wrapper script for php and placed it into /var/www/cgi-bin: 5. I created a handler for PHP that points to the wrapper. 6. Then I try to start the httpd service The following is the error that I get in /var/log/httpd/error_log: [Mon Dec 16 12:18:26 2013] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t:s0 [Mon Dec 16 12:18:26 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Dec 16 12:18:26 2013] [notice] SSL FIPS mode disabled [Mon Dec 16 12:18:26 2013] [notice] Digest: generating secret for digest authentication ... [Mon Dec 16 12:18:26 2013] [notice] Digest: done [Mon Dec 16 12:18:26 2013] [emerg] (17)File exists: mod_fcgid: Can't create shared memory for size 1200712 bytes I'm not sure if this is a permissions issue, or something with SELinux perhaps - or maybe suEXEC? I would appreciate any guidance, since I'm not even sure where to start searching.

I have a httpd server SuexecUserGroup netmet netmet DocumentRoot /home/netmet/html ServerName ServerAdmin ErrorLog /var/log/httpd/netmet.error TransferLog /var/log/httpd/netmet.access DirectoryIndex index.cgi index.html AliasMatch /netmet-cgi-bin/nmHOST-4.*-DETAILS(.*)\.cgi /usr/lib/cgi-bin/netmet-cgi-bin/nmHOST-DETAILS$1.cgi AliasMatch /netmet-cgi-bin/nmHOST-4.*-SERVICES(.*)\.cgi /usr/lib/cgi-bin/html/netmet-cgi-bin/nmHOST-SERVICES$1.cgi AliasMatch /netmet-cgi-bin/nmTOP_NforORGA4-.*\.cgi /usr/lib/cgi-bin/netmet-cgi-bin/nmTOP_NforORGA.cgi AddHandler cgi-script .cgi .pl When I try to access to those scripts with my server, I get **500 internal server error** so I check error.log : [Fri Jun 02 09:07:01.467017 2017] [core:notice] [pid 31617] AH00094: Command line: '/usr/sbin/apache2' suexec policy violation: see suexec log for more details Now the suexec.log : After looking on the web a solution, people advice to do ~# /usr/lib/apache2/suexec -V -D SUEXEC_CONFIG_DIR=/etc/apache2/suexec/ -D AP_GID_MIN=100 -D AP_LOG_EXEC="/var/log/apache2/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=100 Why **DOC_ROOT** is not displayed ??

I am trying to get suexec working with PHP on Debian Stretch (Apache 2.4.25). I have the Debian package's default set of modules loaded plus cgid and php7.0. This is the VirtualHost block I'm using on my test system: ServerAdmin webmaster@localhost DocumentRoot /var/www ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined ScriptAlias /cgi-bin/ /var/www/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted SuexecUserGroup testuser testuser This works correctly with a simple perl script in /var/www/cgi-bin that prints the process's UID. The script prints 1000, verifying that suexec is working. I also get the expected line in suexec.log: However, when I use a similar PHP script, suexec is never called and the script runs as the Apache user. How can I get suexec to work with PHP scripts?

I have an Apache instance with mod_suexec enabled. I'm trying to debug a problem and am starting Apache with strace to try and see what's happening. However, when I start Apache like this: # strace -f -o /tmp/apache.strace /etc/init.d/apache2 start I get this in the error log: suexec failure: could not open log file fopen: Permission denied However, when I start Apache normally, everything works correctly. I presume that some mechanism in use by mod_suexec is being upset by the use of strace, but I'm unclear as to what exactly is happening. Is there any way of using strace and having mod_suexec work correctly?

I have recently installed httpd on a Centos 6 server. From what I see suEXEC was compiled with the values below; -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_EXEC="/var/log/httpd/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX="public_html" I was wondering if there's a way to change these values without compiling Apache from scratch?