FCGI w/ SuExec and Mod_Userdir Issues

Howdy,
 
  
With the recent push for servers to use FCGI as opposed to dso, cgi or suphp, we are seeing some issues regarding mod_userdir. With FCGI and SuExec, mod_userdir will not function as per cPanel’s documentation.

https://documentation.cpanel.net/display/ALD/Apache+mod_userdir+Tweak#Apachemod_userdirTweak-Enabledmod_userdirprotection

According to cPanel:

Enabled mod_userdir protection
Before you enable the mod_userdir module, be aware of the following information:

  • When you use FCGI as your PHP handler, you must disable suEXEC in order to run PHP scripts via the mod_userdir module.
  •  

    Warning: We strongly recommend that you do not disable suEXEC. 
    It is extremely insecure to disable suEXEC.

  • Java servlets do not work with mod_userdir-based URLs. This is because Tomcat requires that you add additional directives to the virtual host.
  •  

  • open_basedir protection restricts PHP’s access to the home directory of the user who owns the base domain, not the home directory of the user account that a visitor accesses. If you enable open_basedir protection in WHM’s PHP open_basedir Tweak interface (Home >> Security Center >> PHP open_basedir Tweak) visitors cannot access some sites via the mod_userdir module.
  •  

  • Under certain conditions, a user can attack another user’s account if they access a malicious script through a mod_userdir URL.
  •  
    Websites that use the mod_rewrite or other directives in their .htaccess files will not function correctly when visitors view them through mod_userdir URLs.

     
    The option as listed in cPanel’s documentation at least is to disable SuExec. This is not a very good or recommended option as also stated by cPanel as this creates security issues for the server.

    The other option would be to change the PHP handler for the server (typically to suPHP). This can potentially cause other issues with the server and degrad site performance, because FCGI is nearly always faster and typically offers greater performance than other PHP handlers. Also FCGI offers much more granular control over PHP which greatly increase server stability.

    The best option we have found to date is to have the user modify their hosts file if they need to connect to a site without changing DNS. This can also become an issue if a user plans to utilize a shared SSL certificate, because they would need to use mod_userdir to access it.

    https://documentation.cpanel.net/display/ALD/Manage+SSL+Hosts#ManageSSLHosts-SharedSSLCertificate

    Ideally we will want to keep the user on FCGI if possible. We have seen potential work arounds for this online, but cannot endorse these as we are not sure how viable of an option these may be. We will list any update to this as it becomes available.

    g33kadmin

    I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.