CPanel - How to stop Apache from running as root user?

Question

<?php echo `whoami`; ?>

So this is returning 'root' and I don't know how to prevent it. I'm using WebHost Manager / CPanel which is supposed to create multiple users/vhosts and have Apache spawn it's process as that user/group. This isn't happening.

If I login to WHM and open the PHP and SuExec Configuration section, my settings are:

Default PHP Version (.php files)    5
PHP 5 Handler                       cgi
PHP 4 Handler                       none

Apache suEXEC                       on

What's wrong? How can I get Apache to run as the correct user rather than root?

Answer 1

If you want each site to be running as it's own user, the correct PHP 5 Handler setting is 'suPHP' rather than 'CGI'. Once you change this you should see that your whoami reports the individual users.

Note that you may have to run EasyApache and select "Mod SuPHP" during that process to recompile Apache / PHP for this option to be available first. This is done under:

Main >> Software >> EasyApache (Apache Update) or on the command line /scripts/easyapache

Answer 2

Apache itself is most probably running as the apache user but thanks to SuExec, PHP scripts that are owned by root will run as root. That is why your whoami command returns the root user.

If you change the owner of the files in your document root to be "apache" or "www-data" (whichever one your server uses) then that same command will return the new owner of the file.

It's probably also worthwhile making sure that all of your PHP scripts are chmod 555 and directories are not owned by the same user as the files. This will allow CGI to execute the scripts but will mean that if a flaw is ever found in one of the PHP scripts it won't be able to modify itself or any of the other scripts and it won't be able to create a new script in any of the directories. There are still plenty of things an attacker could do if they found a flaw in a PHP script but anything you can do to make it harder for them is worthwhile.