FCGI w/ SuExec and Mod_Userdir Issues
Howdy,
With the recent push for servers to use FCGI as opposed to dso, cgi or suphp, we are seeing some issues regarding mod_userdir. With FCGI and SuExec, mod_userdir will not function as per cPanel’s documentation.
https://documentation.cpanel.net/display/ALD/Apache+mod_userdir+Tweak#Apachemod_userdirTweak-Enabledmod_userdirprotection
According to cPanel:
Enabled mod_userdir protection
Before you enable the mod_userdir module, be aware of the following information:When you use FCGI as your PHP handler, you must disable suEXEC in order to run PHP scripts via the mod_userdir module.
Warning: We strongly recommend that you do not disable suEXEC. It is extremely insecure to disable suEXEC.Java servlets do not work with mod_userdir-based URLs. This is because Tomcat requires that you add additional directives to the virtual host.
open_basedir protection restricts PHP’s access to the home directory of the user who owns the base domain, not the home directory of the user account that a visitor accesses. If you enable open_basedir protection in WHM’s PHP open_basedir Tweak interface (Home >> Security Center >> PHP open_basedir Tweak) visitors cannot access some sites via the mod_userdir module.
Under certain conditions, a user can attack another user’s account if they access a malicious script through a mod_userdir URL.
Websites that use the mod_rewrite or other directives in their .htaccess files will not function correctly when visitors view them through mod_userdir URLs.