Apache: how to run PHP files via CGI as normal user and without them being executable The 2019 Stack Overflow Developer Survey Results Are InGetting PHP to work with apache to run .php files through browserhow to run perl cgi script on apacheHow to install multiple PHP instances and configure for ApacheHow to ensure a bash script is executable via web without being in /cgi-bin directory?ErrorDocument CGI not executing, source displayedHow to speed up an apache webserver?How do I find out which PHP files are being served by apacheexecutable files to normal files via terminal CentOS7Install Apache and PHP on Centos without package manager (yum, rpm…)PHP and suexec on Debian Stretch

Why Did Howard Stark Use All The Vibranium They Had On A Prototype Shield?

Why can Shazam do this?

Why is the maximum length of OpenWrt’s root password 8 characters?

On the insanity of kings as an argument against monarchy

Falsification in Math vs Science

Inversion Puzzle

It's possible to achieve negative score?

Access elements in std::string where positon of string is greater than its size

Spanish for "widget"

Lethal sonic weapons

What is the steepest angle that a canal can be traversable without locks?

Why could you hear an Amstrad CPC working?

Is bread bad for ducks?

Can't find the latex code for the ⍎ (down tack jot) symbol

JSON.serialize: is it possible to suppress null values of a map?

What do the Banks children have against barley water?

What tool would a Roman-age civilization have to grind silver and other metals into dust?

What is the motivation for a law requiring 2 parties to consent for recording a conversation

Where to refill my bottle in India?

Output the Arecibo Message

Limit the amount of RAM Mathematica may access?

How are circuits which use complex ICs normally simulated?

Realistic Alternatives to Dust: What Else Could Feed a Plankton Bloom?

What is this 4-propeller plane?



Apache: how to run PHP files via CGI as normal user and without them being executable



The 2019 Stack Overflow Developer Survey Results Are InGetting PHP to work with apache to run .php files through browserhow to run perl cgi script on apacheHow to install multiple PHP instances and configure for ApacheHow to ensure a bash script is executable via web without being in /cgi-bin directory?ErrorDocument CGI not executing, source displayedHow to speed up an apache webserver?How do I find out which PHP files are being served by apacheexecutable files to normal files via terminal CentOS7Install Apache and PHP on Centos without package manager (yum, rpm…)PHP and suexec on Debian Stretch



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)






centos permissions apache-httpd cpanel suexec







share|improve this question
























  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32


















1















Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)






centos permissions apache-httpd cpanel suexec







share|improve this question
























  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32














1












1








1








Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)






centos permissions apache-httpd cpanel suexec







share|improve this question
















Background



Config of server I want to mimic



I have access to a CentOS 7 server with cPanel/WHM installed, running EasyApache4 with the following configuration:



# /usr/local/cpanel/bin/rebuild_phpconf --current
DEFAULT PHP: ea-php56
ea-php55 SAPI: cgi
ea-php56 SAPI: cgi
ea-php70 SAPI: cgi
# rpm -qa|grep ruid2
# rpm -qa|grep suexec
ea-apache24-mod_suexec-2.4.33-5.5.1.cpanel.x86_64


I believe suEXEC is enabled, because /var/log/apache2/error_log contains entries like AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec).



I believe neither mod_ruid2, nor suPHP, nor PHP-FPM, nor FastCGI, nor DSO (aka mod_php) are enabled.



This server has a user, myuser, whose ~/public_html/public/ directory is used as the document root for the website mywebsite.com. (These are not the real names, obviously.)



If I put, in that directory, a PHP file called whoami.php with the following contents (note the lack of a shebang):



<html>
<body>
<p>sapi_name: <?php print php_sapi_name(); ?></p>
<p>exec whoami: <?php print exec('whoami'); ?></p>
<p>system whoami: <?php system('whoami'); ?></p>
<p>system id -a: <?php system("id -a"); ?></p>
<p>getcurrentuser: <?php print get_current_user(); ?></p>
</body>
</html>


and visit it in the browser at http://mywebsite.com/whoami.php (note that this is not using the http://mywebsite.com/~myuser/whoami.php UserDir URL format), it renders as:




sapi_name: cgi-fcgi

exec whoami: myuser

system whoami: myuser

system id -a: uid=1002(myuser) gid=1003(myuser) groups=1003(myuser)

getcurrentuser: myuser




Behaviour I want to mimic



This is true even if it lacks the executable permission, as follows:



$ ls -l /home/myuser/public_html/public/whoami.php | cut -d' ' -f1,3,4,9
-r-------- myuser myuser /home/myuser/public_html/public/whoami.php


Normally, Apache 2.4 in CGI mode cannot run a non-executable file like this, if I understand the documentation correctly:




Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.




However, cPanel/WHM seems to do something to alter this fact. According to the WHM documentation:




CGI



The CGI handler executes PHP applications through the mod_cgi or
the mod_cgid Apache modules. If you install the suEXEC module, the
system executes PHP applications as the user that owns the VirtualHost
that served the request. If you uninstall the suEXEC module, the
system executes PHP applications as the nobody system user. The system
provides mod_cgi and mod_ruid2 by default.



You can customize the CGI handler's settings in the PHP .user.ini
file. […]




Important:



If you enable a per-user module, such as suEXEC or Ruid2, you can
execute PHP scripts with permissions of 0400. If you disable a
per-user module, such as suEXEC or Ruid2, you can execute PHP scripts
with permissions of 0444.





I.e. even without suEXEC or Ruid2 enabled, EasyApache4 is somehow able to make Apache process non-executable PHP files as CGI scripts rather than just serving them as static files.



Questions



I have a different CentOS 7 machine, not routable from the internet, and for development only. It does not have cPanel/WHM installed. Security is not a priority for this machine, and it has SELinux disabled. Mimicking cPanel/WHM's behaviour is a priority for this machine: top priority.



  1. On this machine, how would I persuade Apache 2.4 to run PHP files whose permissions are 0400 or 0444, and that lack a shebang, as CGI scripts via PHP 5.6, rather than just serving them as static files? I.e. how would I achieve the something alluded to above? I'm happy to compile Apache with non-standard suEXEC configuration options, if needed.

  2. In particular, how can I do this while serving them without needing use a UserDir URL (i.e. without the /~myuser part of a URL such as http://mywebsite.com/~myuser/mypage.php)?

  3. How would I do all this while also ensuring that those files are run by myuser, via suEXEC, rather than by the apache or httpd or nobody user?

If you can answer all three questions at a stroke, so much the better, but even if you can answer just the first one, that would be very helpful! Thank you :)






centos permissions apache-httpd cpanel suexec




centos permissions apache-httpd cpanel suexec






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 28 '18 at 20:11







sampablokuper

















asked Apr 28 '18 at 18:40









sampablokupersampablokuper

1,3191533




1,3191533












  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32


















  • I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

    – Rui F Ribeiro
    Apr 28 '18 at 18:51






  • 1





    @RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

    – sampablokuper
    Apr 28 '18 at 18:57











  • @RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

    – sampablokuper
    Apr 28 '18 at 19:05











  • @RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

    – sampablokuper
    Apr 28 '18 at 19:18












  • @RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

    – sampablokuper
    Apr 28 '18 at 19:32

















I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

– Rui F Ribeiro
Apr 28 '18 at 18:51





I would advise not making so many questions at once. The thematic of PHP security is also a complicated theme too. ruid2 has also its own peculiarities, and I do not recommend it to unexperienced users.

– Rui F Ribeiro
Apr 28 '18 at 18:51




1




1





@RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

– sampablokuper
Apr 28 '18 at 18:57





@RuiFRibeiro, thanks. I have now clarified that the second machine is a development box, not routable from the Internet. Its purpose is to mimic the EasyApache4 box, not to be secure in itself. Also, AFAICT, the EasyApache4 box is not running Ruid2.

– sampablokuper
Apr 28 '18 at 18:57













@RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

– sampablokuper
Apr 28 '18 at 19:05





@RuiFRibeiro, as for not asking several questions at once, the motivation for my question is that I am not certain how to accomplish all of those things simultaneously. The different components are sufficiently tightly coupled that asking questions about just one or the other would eliminate important context and likely not yield a working solution. But if you have a better suggestion, I am open to it.

– sampablokuper
Apr 28 '18 at 19:05













@RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

– sampablokuper
Apr 28 '18 at 19:18






@RuiFRibeiro, thanks for your good intentions, but IMO those links are off-topic. The first link is about using mod_ruid2 for security, but (a) AFAICT I shouldn't need to install mod_ruid2 in order to mimic the EA4 box because the latter doesn't appear to be using it, and (b) I don't need the dev box to be secure against malicious clients because I am its only client. The second and third links are about blocking or throttling unwanted clients by using modsecurity and/or mod-evasive, neither of which is relevant to my question or my use-case. Thanks again.

– sampablokuper
Apr 28 '18 at 19:18














@RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

– sampablokuper
Apr 28 '18 at 19:32






@RuiFRibeiro, thanks, but that link just compares different PHP handlers. It does not help to answer my question. I appreciate your desire to help, but I'm afraid that posting off-topic links is not helpful. It just creates clutter. I would be grateful if you could refrain from doing it. Thanks.

– sampablokuper
Apr 28 '18 at 19:32











1 Answer
1






active

oldest

votes


















0














Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



Execute these rather radical commands:



# chown myuser:myser /usr/bin
# chown myuser:myser /usr/bin/php-cgi


then:



# chmod 711 /home/myuser
# chmod 755 /home/myuser/public_html
#


Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



Modify /etc/httpd/conf/httpd.conf along these lines:



ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
ServerAdmin root@localhost
#ServerName example.local
ServerName localhost 
User apache
Group apache
<Directory />
 AllowOverride none
 Require all granted
</Directory>
<VirtualHost *:80>
 DocumentRoot "/home/myuser/public_html/public"
 SuexecUserGroup myuser myuser
 <IfModule alias_module>
 ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
 </IfModule>
 <Directory "/home/myuser/public_html/public">
 Options Indexes FollowSymLinks ExecCGI
 AllowOverride None
 Require all granted
 AddHandler cgi-script .cgi .pl
 </Directory>
</VirtualHost>
<IfModule dir_module>
 DirectoryIndex index.php index.cgi index.html index.htm
</IfModule>


and modify /etc/httpd/conf.d/php.conf roughly like so:



ScriptAlias /local-bin /usr/bin
AddHandler application/x-httpd-php5 php
Action application/x-httpd-php5 /local-bin/php-cgi


Finally, (re-)start Apache.



This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






share|improve this answer

























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440622%2fapache-how-to-run-php-files-via-cgi-as-normal-user-and-without-them-being-execu%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



    Execute these rather radical commands:



    # chown myuser:myser /usr/bin
    # chown myuser:myser /usr/bin/php-cgi


    then:



    # chmod 711 /home/myuser
    # chmod 755 /home/myuser/public_html
    #


    Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



    Modify /etc/httpd/conf/httpd.conf along these lines:



    ServerRoot "/etc/httpd"
    Listen 80
    Include conf.modules.d/*.conf
    ServerAdmin root@localhost
    #ServerName example.local
    ServerName localhost 
    User apache
    Group apache
    <Directory />
     AllowOverride none
     Require all granted
    </Directory>
    <VirtualHost *:80>
     DocumentRoot "/home/myuser/public_html/public"
     SuexecUserGroup myuser myuser
     <IfModule alias_module>
     ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
     </IfModule>
     <Directory "/home/myuser/public_html/public">
     Options Indexes FollowSymLinks ExecCGI
     AllowOverride None
     Require all granted
     AddHandler cgi-script .cgi .pl
     </Directory>
    </VirtualHost>
    <IfModule dir_module>
     DirectoryIndex index.php index.cgi index.html index.htm
    </IfModule>


    and modify /etc/httpd/conf.d/php.conf roughly like so:



    ScriptAlias /local-bin /usr/bin
    AddHandler application/x-httpd-php5 php
    Action application/x-httpd-php5 /local-bin/php-cgi


    Finally, (re-)start Apache.



    This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



    So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






    share|improve this answer





























      0














      Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



      Execute these rather radical commands:



      # chown myuser:myser /usr/bin
      # chown myuser:myser /usr/bin/php-cgi


      then:



      # chmod 711 /home/myuser
      # chmod 755 /home/myuser/public_html
      #


      Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



      Modify /etc/httpd/conf/httpd.conf along these lines:



      ServerRoot "/etc/httpd"
      Listen 80
      Include conf.modules.d/*.conf
      ServerAdmin root@localhost
      #ServerName example.local
      ServerName localhost 
      User apache
      Group apache
      <Directory />
       AllowOverride none
       Require all granted
      </Directory>
      <VirtualHost *:80>
       DocumentRoot "/home/myuser/public_html/public"
       SuexecUserGroup myuser myuser
       <IfModule alias_module>
       ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
       </IfModule>
       <Directory "/home/myuser/public_html/public">
       Options Indexes FollowSymLinks ExecCGI
       AllowOverride None
       Require all granted
       AddHandler cgi-script .cgi .pl
       </Directory>
      </VirtualHost>
      <IfModule dir_module>
       DirectoryIndex index.php index.cgi index.html index.htm
      </IfModule>


      and modify /etc/httpd/conf.d/php.conf roughly like so:



      ScriptAlias /local-bin /usr/bin
      AddHandler application/x-httpd-php5 php
      Action application/x-httpd-php5 /local-bin/php-cgi


      Finally, (re-)start Apache.



      This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



      So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






      share|improve this answer



























        0












        0








        0







        Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



        Execute these rather radical commands:



        # chown myuser:myser /usr/bin
        # chown myuser:myser /usr/bin/php-cgi


        then:



        # chmod 711 /home/myuser
        # chmod 755 /home/myuser/public_html
        #


        Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



        Modify /etc/httpd/conf/httpd.conf along these lines:



        ServerRoot "/etc/httpd"
        Listen 80
        Include conf.modules.d/*.conf
        ServerAdmin root@localhost
        #ServerName example.local
        ServerName localhost 
        User apache
        Group apache
        <Directory />
         AllowOverride none
         Require all granted
        </Directory>
        <VirtualHost *:80>
         DocumentRoot "/home/myuser/public_html/public"
         SuexecUserGroup myuser myuser
         <IfModule alias_module>
         ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
         </IfModule>
         <Directory "/home/myuser/public_html/public">
         Options Indexes FollowSymLinks ExecCGI
         AllowOverride None
         Require all granted
         AddHandler cgi-script .cgi .pl
         </Directory>
        </VirtualHost>
        <IfModule dir_module>
         DirectoryIndex index.php index.cgi index.html index.htm
        </IfModule>


        and modify /etc/httpd/conf.d/php.conf roughly like so:



        ScriptAlias /local-bin /usr/bin
        AddHandler application/x-httpd-php5 php
        Action application/x-httpd-php5 /local-bin/php-cgi


        Finally, (re-)start Apache.



        This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



        So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.






        share|improve this answer















        Here is a way to achieve this which is OK for a private dev environment that is only being used for that purpose, but should never be used on an internet-routable machine.



        Execute these rather radical commands:



        # chown myuser:myser /usr/bin
        # chown myuser:myser /usr/bin/php-cgi


        then:



        # chmod 711 /home/myuser
        # chmod 755 /home/myuser/public_html
        #


        Also, (re-)compile Apache to have suEXEC's AP_DOC_ROOT="/", and (re-)install it.



        Modify /etc/httpd/conf/httpd.conf along these lines:



        ServerRoot "/etc/httpd"
        Listen 80
        Include conf.modules.d/*.conf
        ServerAdmin root@localhost
        #ServerName example.local
        ServerName localhost 
        User apache
        Group apache
        <Directory />
         AllowOverride none
         Require all granted
        </Directory>
        <VirtualHost *:80>
         DocumentRoot "/home/myuser/public_html/public"
         SuexecUserGroup myuser myuser
         <IfModule alias_module>
         ScriptAlias /cgi-bin/ /home/myuser/public_html/public/cgi-bin/
         </IfModule>
         <Directory "/home/myuser/public_html/public">
         Options Indexes FollowSymLinks ExecCGI
         AllowOverride None
         Require all granted
         AddHandler cgi-script .cgi .pl
         </Directory>
        </VirtualHost>
        <IfModule dir_module>
         DirectoryIndex index.php index.cgi index.html index.htm
        </IfModule>


        and modify /etc/httpd/conf.d/php.conf roughly like so:



        ScriptAlias /local-bin /usr/bin
        AddHandler application/x-httpd-php5 php
        Action application/x-httpd-php5 /local-bin/php-cgi


        Finally, (re-)start Apache.



        This is the best approach that I found prior to asking the question above. However, there are almost certainly better alternatives, and I would like to learn about them, hence my posting the question. (For instance, installing a php-cgi binary in the user's home directory should in principle be a viable and less drastic measure than modifying the ownership of the system binary and its directory.)



        So, please feel free to upvote this answer if it helped you, or to comment constructively if it did not help you, but I will hold off marking it as "correct" for a while, in the hope that better answers emerge.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited May 1 '18 at 0:47

























        answered May 1 '18 at 0:40









        sampablokupersampablokuper

        1,3191533




        1,3191533



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440622%2fapache-how-to-run-php-files-via-cgi-as-normal-user-and-without-them-being-execu%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -apache-httpd, centos, cpanel, permissions, suexec
            -

            Popular posts from this blog

            Mobil Contents History Mobil brands Former Mobil brands Lukoil transaction Mobil UK Mobil Australia Mobil New Zealand Mobil Greece Mobil in Japan Mobil in Canada Mobil Egypt See also References External links Navigation menuwww.mobil.com"Mobil Corporation"the original"Our Houston campus""Business & Finance: Socony-Vacuum Corp.""Popular Mechanics""Lubrite Technologies""Exxon Mobil campus 'clearly happening'""Toledo Blade - Google News Archive Search""The Lion and the Moose - How 2 Executives Pulled off the Biggest Merger Ever""ExxonMobil Press Release""Lubricants""Archived copy"the original"Mobil 1™ and Mobil Super™ motor oil and synthetic motor oil - Mobil™ Motor Oils""Mobil Delvac""Mobil Industrial website""The State of Competition in Gasoline Marketing: The Effects of Refiner Operations at Retail""Mobil Travel Guide to become Forbes Travel Guide""Hotel Rankings: Forbes Merges with Mobil"the original"Jamieson oil industry history""Mobil news""Caltex pumps for control""Watchdog blocks Caltex bid""Exxon Mobil sells service station network""Mobil Oil New Zealand Limited is New Zealand's oldest oil company, with predecessor companies having first established a presence in the country in 1896""ExxonMobil subsidiaries have a business history in New Zealand stretching back more than 120 years. We are involved in petroleum refining and distribution and the marketing of fuels, lubricants and chemical products""Archived copy"the original"Exxon Mobil to Sell Its Japanese Arm for $3.9 Billion""Gas station merger will end Esso and Mobil's long run in Japan""Esso moves to affiliate itself with PC Optimum, no longer Aeroplan, in loyalty point switch""Mobil brand of gas stations to launch in Canada after deal for 213 Loblaws-owned locations""Mobil Nears Completion of Rebranding 200 Loblaw Gas Stations""Learn about ExxonMobil's operations in Egypt""Petrol and Diesel Service Stations in Egypt - Mobil"Official websiteExxon Mobil corporate websiteMobil Industrial official websiteeeeeeeeDA04275022275790-40000 0001 0860 5061n82045453134887257134887257

            Image
            Aera EnergyEssoEsso AustraliaExxonExxon NeftegasHumble OilImperial OilMagnolia Petroleum CompanyMobilMobil Producing NigeriaPetronSeaRiver MaritimeSuperior Oil CompanySyncrudeVacuum Oil CompanyXTO EnergyBaton Rouge RefineryBaytown RefineryMilford HavenExxon Building (New York)Fawley RefineryImperial Oil BuildingMossmorranNanticoke Refinery2010 ExxonMobil oil spill2010 Port Arthur oil spill2013 Mayflower oil spill Exxon Valdez oil spillGreenpoint oil spillSS Atlantic Empress SS Esso Brussels Colony Shale Oil ProjectEast-Prinovozemelsky fieldGoose Creek Oil FieldKearl Oil Sands ProjectKizomba deepwater projectOrmen LangePembina oil fieldPrudhoe Bay Oil FieldSable Offshore Energy ProjectSakhalin-ITengiz FieldTern oilfieldTuapse fieldWest Qurna FieldNational OilSasolSparSpar Express759 Store7-ElevenCircle KCUDaily YamazakiFamilyMartGS25LawsonMinistopParknShopPoplarSparStorywayVanGOemartSparampmBuy the WayBP ConnectCircle K SunkusDaily StopOn the Run7-ElevenBargain BoozeBest-OneBP ConnectB
            Read more

            Frič See also Navigation menuinternal link

            Image
            SurnamesCzech-language surnames ‹ The template Infobox surname is being considered for merging. › Frič Origin Language(s) Czechized German (eastern Middle German dialects and Alemannic German) - Thuringian, Upper Saxon, Low Lusatian, Silesian Meaning derived from German: Friedrich Other names Variant(s) Fritsch, Fritzsch, Frycz, Fricz, Fryczyński, Frietsch, Fritsche, Fritzsche; Fritschi (Alemannic), Fritz, Fritze, Fritzel, Fritzl, Fritzke, Fritzen Frič is a Czechized German surname. Notable people with the surname include: Alberto Vojtěch Frič, Czech botanist Antonín Jan Frič (Fritsch) , Czech paleontologist Jaroslav Erik Frič, Czech poet Martin Frič, Czech film director, screenwriter and actor See also Fričovce (Hungarian: Frics ) .mw-parser-output table.dmboxclear:both;margin:0.9em 1em;border-top:1px solid #ccc;border-bottom:1px solid #ccc;background-color:transparent Surname list This page lists people with the surname Frič . If an internal link intending to refer to a specifi
            Read more

            Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

            Image
            Apollo command module space walk? prime numbers and expressing non-prime numbers Can a non-EU citizen traveling with me come with me through the EU passport line? Extract all GPU name, model and GPU ram How to deal with a team lead who never gives me credit? Why was the term "discrete" used in discrete logarithm? Why do we bend a book to keep it straight? When do you get frequent flier miles - when you buy, or when you fly? How come Sam didn't become Lord of Horn Hill? At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan? Is it true that "carbohydrates are of no use for the basal metabolic need"? Using et al. for a last / senior author rather than for a first author How to tell that you are a giant? How to react to hostile behavior from a senior developer? String `!23` is replaced with `docker` in command line How to find out what spells would be useless to a blind NPC sp
            Read more