15 posts / 0 new
Last post
#1 Mon, 07/27/2009 - 06:12


After recompiling apache to support /home as SUexec's root for installing virtualmin , I'm getting strang behavoir on my server that website owners in my server can view a lot of files read almost everything and in some cases delete other people's files' bu installing a php script called c99shell. how to fix this issue?

Mon, 07/27/2009 - 08:33

It looks like that program is just a PHP app that allows a user to run code as whatever user the Apache webserver runs as.

It doesn't sound like it's doing anything unusual or special.

What I'd do is make sure that your various Virtual Servers are being run within suexec -- and just make sure that the no one has "777" permissions on any of their files or directories.

At that point, code Apache runs shouldn't have permission to read or write another users files or directories.


Mon, 07/27/2009 - 09:01 (Reply to #2)

That's right but the user can go upper than his own /home folder and maybe some user of my server make one or more folder with permission of 777, so how can I force users to their home directory only? How can I find apache's running a php script with which user?

Mon, 07/27/2009 - 09:37 (Reply to #3)

Well, a couple of thoughts --

Apache is executing apps with the full rights of one of the users on your system, be it "www-data" or the Virtual Server owner. That user will have rights to files on the server who's permissions allow them to read/write the files. There's no real way around that :-)

You can, however, lock down permissions; having users set "777" on their files and directories really isn't a good idea, and you can use something like "find /home -perm 777" to discover what all has those permissions.

If someone is uploading an app like c99shell (and it's not the Virtual Server owner), that may mean one of the apps running on that Virtual Server owner has a security issue. You may need to verify that all the apps installed there are up to date.

As far as determining who Apache runs scripts as, they'll run as the apache user unless there's an suexec or suexecusergroup setup in the VirtualHost configuration.


Mon, 07/27/2009 - 09:41 (Reply to #4)

I do have suexec config , and I belive it's not problem of suexec now. Can I jail client of my server to their own home folder. ( ftp is ok but using a php based file manager is causing me difficulties )

Mon, 07/27/2009 - 10:15
ronald's picture

You can set open_basedir in the php.ini files of the server owners, It is not failsafe, but it is an extra hindrance and will stop the regular script kiddy. I use a special php.ini calles php.ini.virtualmin which I have in the server templates.

I have for instance:
open_basedir = /home/domain.com:/home/domain.com/tmp:/usr/lib/php:/usr/share/pear
disable_functions = show_source, system, exec, shell_exec, passthru, popen, proc_open, ini_restore, symlink

You can use phpsec to find out how secure your server is according to them

I know the c99shell, it is not harmless in the wrong hands. You must be certain that suexec is installed correctly and your domains are properly configured to run with it. The one that uploaded the script should then only be able to view/delete files it owns.

Mon, 07/27/2009 - 10:19

what will that open_basedir do? I just configured apache with suexec, but how Can I ensure that it's well configured?

Mon, 07/27/2009 - 10:30
ronald's picture

the open_basedir will restrict the user's php script to the directories written in that line. So his home and the tmp under his home + he will need access to php and pear, you need to put in the correct paths for your server though. Normally php scripts will not be able to go out of the domains environment.

When you check virtualmin - Server Configuration - Website options, make sure that:
Run CGI scripts as domain owner? is set to yes and
PHP script execution mode is set to Fcgid
Check this for every domain on your server.

When you have set the open_basedir then you will need to see the php and pear modules under PHP information on that same page, if you do not see them then the paths you have set are incorrect.

Tue, 07/28/2009 - 01:17 (Reply to #8)

thank you, I'll use your advises.
One more question is Is there any way for me to find out a php file is running under which user? cause almost all of client always ask me why they must set the permission of a folder to 777 instead of 755 to be able to write files in them from php scripts.

Tue, 07/28/2009 - 09:06 (Reply to #9)


If you add this code to your PHP script, it will output the effective user id it's running as:

error_log("UID: " . posix_getuid());

That will provide you the numeric UID of the user your script is running as.

If you're using suexec, you shouldn't need to use 777 permissions for directories -- PHP at that point would have write permissions to directories without requiring 777.


Tue, 07/28/2009 - 09:17 (Reply to #10)

I did check this for 3 of my domains ( with different accounts ) the output for all of them was 1 ??? Do you believe it's the misconfiguration of suexec?

Tue, 07/28/2009 - 09:33
ronald's picture

To me it sounds like the domains haven't been brought under SUexec.

What happens if you create a testdomain.com and is the template set to use the appropriate directives and running under mod_fcgid?

you can check that under virtualmin - System Settings - Server Templates - click default settings at the right pane - Apache website - Set: Automatically add appropriate SuExec directive? to yes and Add Apache user to Unix group for new servers? is Apache or www-data and Permissions on website subdirectory to 0755 and Default PHP execution mode is set to FCGId (run as virtual server owner)

you'll need that under all your templates

Tue, 07/28/2009 - 13:40 (Reply to #12)

my server already has this confirguration , but how can I set php execution method to FCGId ?

Tue, 07/28/2009 - 13:46 (Reply to #13)

Yeah, you'll need to either be using CGI or FCGID in order for suexec to work.

If you're using Virtualmin Pro, you can set the PHP execution mode in Server Configuration -> Website Options.

It's also possible to enable this in the GPL version, but it's more of a manual process -- that is described in this post:


Tue, 07/28/2009 - 14:15 (Reply to #14)
ronald's picture

see also 7 posts up

Topic locked