Apache: how to run PHP files via CGI as normal user and without them being executable The 2019 Stack Overflow Developer Survey Results Are InGetting PHP to work with apache to run .php files through browserhow to run perl cgi script on apacheHow to install multiple PHP instances and configure for ApacheHow to ensure a bash script is executable via web without being in /cgi-bin directory?ErrorDocument CGI not executing, source displayedHow to speed up an apache webserver?How do I find out which PHP files are being served by apacheexecutable files to normal files via terminal CentOS7Install Apache and PHP on Centos without package manager (yum, rpm…)PHP and suexec on Debian Stretch

Why Did Howard Stark Use All The Vibranium They Had On A Prototype Shield?

Why can Shazam do this?

Why is the maximum length of OpenWrt’s root password 8 characters?

On the insanity of kings as an argument against monarchy

Falsification in Math vs Science

Inversion Puzzle

It's possible to achieve negative score?

Access elements in std::string where positon of string is greater than its size

Spanish for "widget"

Lethal sonic weapons

What is the steepest angle that a canal can be traversable without locks?

Why could you hear an Amstrad CPC working?

Is bread bad for ducks?

Can't find the latex code for the ⍎ (down tack jot) symbol

JSON.serialize: is it possible to suppress null values of a map?

What do the Banks children have against barley water?

What tool would a Roman-age civilization have to grind silver and other metals into dust?

What is the motivation for a law requiring 2 parties to consent for recording a conversation

Where to refill my bottle in India?

Output the Arecibo Message

Limit the amount of RAM Mathematica may access?

How are circuits which use complex ICs normally simulated?

Realistic Alternatives to Dust: What Else Could Feed a Plankton Bloom?

What is this 4-propeller plane?



Apache: how to run PHP files via CGI as normal user and without them being executable



The 2019 Stack Overflow Developer Survey Results Are InGetting PHP to work with apache to run .php files through browserhow to run perl cgi script on apacheHow to install multiple PHP instances and configure for ApacheHow to ensure a bash script is executable via web without being in /cgi-bin directory?ErrorDocument CGI not executing, source displayedHow to speed up an apache webserver?How do I find out which PHP files are being served by apacheexecutable files to normal files via terminal CentOS7Install Apache and PHP on Centos without package manager (yum, rpm…)PHP and suexec on Debian Stretch



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)










share|improve this question
























  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32


















1















Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)










share|improve this question
























  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32














1












1








1








Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)










share|improve this question
















Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)







centos permissions apache-httpd cpanel suexec






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 28 '18 at 20:11







sampablokuper

















asked Apr 28 '18 at 18:40









sampablokupersampablokuper

1,3191533




1,3191533












  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32


















  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32

















I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

– Rui F Ribeiro
Apr 28 '18 at 18:51





I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

– Rui F Ribeiro
Apr 28 '18 at 18:51




1




1





@RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

– sampablokuper
Apr 28 '18 at 18:57





@RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

– sampablokuper
Apr 28 '18 at 18:57













@RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

– sampablokuper
Apr 28 '18 at 19:05





@RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

– sampablokuper
Apr 28 '18 at 19:05













@RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

– sampablokuper
Apr 28 '18 at 19:18






@RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

– sampablokuper
Apr 28 '18 at 19:18














@RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

– sampablokuper
Apr 28 '18 at 19:32






@RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

– sampablokuper
Apr 28 '18 at 19:32











1 Answer
1






active

oldest

votes


















0














Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



Execute these rather radical commands:



# chown myuser:myser /usr/bin
# chown myuser:myser /usr/bin/php-cgi


then:



# chmod 711 /home/myuser
# chmod 755 /home/myuser/public_html
#


Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



Modify /etc/httpd/conf/httpd.conf along these lines:



ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
ServerAdmin root@localhost
#ServerName example.local
ServerName localhost
User apache
Group apache
<Directory />
AllowOverride none
Require all granted
</Directory>
<VirtualHost *:80>
DocumentRoot "/home/myuser/public_html/public"
SuexecUserGroup myuser myuser
<IfModule alias_module>
ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
</IfModule>
<Directory "/home/myuser/public_html/public">
Options Indexes FollowSymLinks ExecCGI
AllowOverride None
Require all granted
AddHandler cgi-script .cgi .pl
</Directory>
</VirtualHost>
<IfModule dir_module>
DirectoryIndex index.php index.cgi index.html index.htm
</IfModule>


and modify /etc/httpd/conf.d/php.conf roughly like so:



ScriptAlias /local-bin /usr/bin
AddHandler application/x-httpd-php5 php
Action application/x-httpd-php5 /local-bin/php-cgi


Finally, (re-)start Apache.



This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






share|improve this answer

























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440622%2fapache-how-to-run-php-files-via-cgi-as-normal-user-and-without-them-being-execu%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



    Execute these rather radical commands:



    # chown myuser:myser /usr/bin
    # chown myuser:myser /usr/bin/php-cgi


    then:



    # chmod 711 /home/myuser
    # chmod 755 /home/myuser/public_html
    #


    Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



    Modify /etc/httpd/conf/httpd.conf along these lines:



    ServerRoot "/etc/httpd"
    Listen 80
    Include conf.modules.d/*.conf
    ServerAdmin root@localhost
    #ServerName example.local
    ServerName localhost
    User apache
    Group apache
    <Directory />
    AllowOverride none
    Require all granted
    </Directory>
    <VirtualHost *:80>
    DocumentRoot "/home/myuser/public_html/public"
    SuexecUserGroup myuser myuser
    <IfModule alias_module>
    ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
    </IfModule>
    <Directory "/home/myuser/public_html/public">
    Options Indexes FollowSymLinks ExecCGI
    AllowOverride None
    Require all granted
    AddHandler cgi-script .cgi .pl
    </Directory>
    </VirtualHost>
    <IfModule dir_module>
    DirectoryIndex index.php index.cgi index.html index.htm
    </IfModule>


    and modify /etc/httpd/conf.d/php.conf roughly like so:



    ScriptAlias /local-bin /usr/bin
    AddHandler application/x-httpd-php5 php
    Action application/x-httpd-php5 /local-bin/php-cgi


    Finally, (re-)start Apache.



    This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



    So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






    share|improve this answer





























      0














      Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



      Execute these rather radical commands:



      # chown myuser:myser /usr/bin
      # chown myuser:myser /usr/bin/php-cgi


      then:



      # chmod 711 /home/myuser
      # chmod 755 /home/myuser/public_html
      #


      Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



      Modify /etc/httpd/conf/httpd.conf along these lines:



      ServerRoot "/etc/httpd"
      Listen 80
      Include conf.modules.d/*.conf
      ServerAdmin root@localhost
      #ServerName example.local
      ServerName localhost
      User apache
      Group apache
      <Directory />
      AllowOverride none
      Require all granted
      </Directory>
      <VirtualHost *:80>
      DocumentRoot "/home/myuser/public_html/public"
      SuexecUserGroup myuser myuser
      <IfModule alias_module>
      ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
      </IfModule>
      <Directory "/home/myuser/public_html/public">
      Options Indexes FollowSymLinks ExecCGI
      AllowOverride None
      Require all granted
      AddHandler cgi-script .cgi .pl
      </Directory>
      </VirtualHost>
      <IfModule dir_module>
      DirectoryIndex index.php index.cgi index.html index.htm
      </IfModule>


      and modify /etc/httpd/conf.d/php.conf roughly like so:



      ScriptAlias /local-bin /usr/bin
      AddHandler application/x-httpd-php5 php
      Action application/x-httpd-php5 /local-bin/php-cgi


      Finally, (re-)start Apache.



      This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



      So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






      share|improve this answer



























        0












        0








        0







        Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



        Execute these rather radical commands:



        # chown myuser:myser /usr/bin
        # chown myuser:myser /usr/bin/php-cgi


        then:



        # chmod 711 /home/myuser
        # chmod 755 /home/myuser/public_html
        #


        Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



        Modify /etc/httpd/conf/httpd.conf along these lines:



        ServerRoot "/etc/httpd"
        Listen 80
        Include conf.modules.d/*.conf
        ServerAdmin root@localhost
        #ServerName example.local
        ServerName localhost
        User apache
        Group apache
        <Directory />
        AllowOverride none
        Require all granted
        </Directory>
        <VirtualHost *:80>
        DocumentRoot "/home/myuser/public_html/public"
        SuexecUserGroup myuser myuser
        <IfModule alias_module>
        ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
        </IfModule>
        <Directory "/home/myuser/public_html/public">
        Options Indexes FollowSymLinks ExecCGI
        AllowOverride None
        Require all granted
        AddHandler cgi-script .cgi .pl
        </Directory>
        </VirtualHost>
        <IfModule dir_module>
        DirectoryIndex index.php index.cgi index.html index.htm
        </IfModule>


        and modify /etc/httpd/conf.d/php.conf roughly like so:



        ScriptAlias /local-bin /usr/bin
        AddHandler application/x-httpd-php5 php
        Action application/x-httpd-php5 /local-bin/php-cgi


        Finally, (re-)start Apache.



        This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



        So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






        share|improve this answer















        Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



        Execute these rather radical commands:



        # chown myuser:myser /usr/bin
        # chown myuser:myser /usr/bin/php-cgi


        then:



        # chmod 711 /home/myuser
        # chmod 755 /home/myuser/public_html
        #


        Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



        Modify /etc/httpd/conf/httpd.conf along these lines:



        ServerRoot "/etc/httpd"
        Listen 80
        Include conf.modules.d/*.conf
        ServerAdmin root@localhost
        #ServerName example.local
        ServerName localhost
        User apache
        Group apache
        <Directory />
        AllowOverride none
        Require all granted
        </Directory>
        <VirtualHost *:80>
        DocumentRoot "/home/myuser/public_html/public"
        SuexecUserGroup myuser myuser
        <IfModule alias_module>
        ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
        </IfModule>
        <Directory "/home/myuser/public_html/public">
        Options Indexes FollowSymLinks ExecCGI
        AllowOverride None
        Require all granted
        AddHandler cgi-script .cgi .pl
        </Directory>
        </VirtualHost>
        <IfModule dir_module>
        DirectoryIndex index.php index.cgi index.html index.htm
        </IfModule>


        and modify /etc/httpd/conf.d/php.conf roughly like so:



        ScriptAlias /local-bin /usr/bin
        AddHandler application/x-httpd-php5 php
        Action application/x-httpd-php5 /local-bin/php-cgi


        Finally, (re-)start Apache.



        This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



        So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited May 1 '18 at 0:47

























        answered May 1 '18 at 0:40









        sampablokupersampablokuper

        1,3191533




        1,3191533



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440622%2fapache-how-to-run-php-files-via-cgi-as-normal-user-and-without-them-being-execu%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -apache-httpd, centos, cpanel, permissions, suexec

            Popular posts from this blog

            Frič See also Navigation menuinternal link

            Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

            fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox