suPHP causing error for directory ownership

Question

[Fri Mar 11 14:48:20 2016] [error] [client 181.236.205.241] SoftException in Application.cpp:594: Directory /home/myuser/public_html is not owned by myuser

How can I fix this error without giving the directory the ownership myuser. It MUST be a different user.

Can i use some suphp.conf configuration?

EDIT it would be ok to change the ownership of the homefolder alltogether, but I am not sure if that would solve the suPHP problem

EDIT2 the reason i want to do all of this is because a big website gets hacked. As one of the measures, instead of fixing the whole huge application, is taking away writing rights to folders and files of the apache server. The server no longer should have the right to write rename or create files. For this, i have to take away the ownership of the files / folders obviously.

background to what I tried a bit: https://stackoverflow.com/questions/35947081/suphp-giving-false-feeling-of-security

You should consider the possibility that the website should not need to write or rename files in a directory containing sensitive information. A good example of this is the PHP session directory that contains all the sessions for each visitor when session_start is called. You could create a special directory somewhere outside the code folders where its only purpose is to store information. From there you could create a daemon that listens for requests created by the website that will handle the reading / writing. — Jake Psimos, Mar 14 '16 at 16:02
@JakePsimos you might be addressing the wrong issue. The idea is to make the files read-only, not to allow writing/renaming of sensitive files. See EDIT2 — Chris Lear, Mar 14 '16 at 16:09

Chris Lear · Accepted Answer · 2016-03-14T17:14:03.643

2

Here's some code from Application.cpp (downloaded from http://www.suphp.org/Download.html)

    UserInfo directoryOwner = directory.getUser();
    if (directoryOwner != owner && !directoryOwner.isSuperUser()) {
        std::string error = "Directory " + directory.getPath()
            + " is not owned by " + owner.getUsername();
        logger.logWarning(error);
        throw SoftException(error, __FILE__, __LINE__);
    }

It looks like if you make the owner a superuser (root is probably easiest), the error might go away.

At risk of stating the obvious, the command would be something like this

$sudo chown root /home/myuser/public_html

EDIT to add more code related to the question in the comments

try {
    // Change working directory to script path
    API_Helper::getSystemAPI().setCwd(
        File(scriptFilename).getParentDirectory().getPath());
    if (mode == TARGETMODE_PHP) {
        std::string interpreterPath = interpreter.substr(4);
        CommandLine cline;
        cline.putArgument(interpreterPath);
        API_Helper::getSystemAPI().execute(interpreterPath, cline, env);
    } else if (mode == TARGETMODE_SELFEXECUTE) {
        CommandLine cline;
        cline.putArgument(scriptFilename);
        API_Helper::getSystemAPI().execute(scriptFilename, cline, env);
    }
} catch (SystemException& e) {
    throw SoftException("Could not execute script \"" + scriptFilename
                            + "\"", e, __FILE__, __LINE__);
}

edited Mar 14 '16 at 17:14

answered Mar 14 '16 at 16:04

Chris Lear

6,592
1
18
26

mind quickly checking: SoftException in Application.cpp:576: Could not execute script "/home/myuser/public_html/index.php" ? – Toskan Mar 14 '16 at 16:55
The code is trying to `cd` to `/home/myuser/public_html/` then execute the php script. Depending on the mode (see http://www.suphp.org/DocumentationView.html?file=CONFIG under 5. Handlers) it's either trying to execute the php interpreter or the script itself as cgi. To resolve, consider either changing the mode or using chmod to make either the interpreter or the script executable. Or, if the `cd` is failing, give read access to the directory to your `myuser` user. – Chris Lear Mar 14 '16 at 17:12
I've added the code block relating to this error to the answer – Chris Lear Mar 14 '16 at 17:14
i actually had to do the following: `drwxr-x--x 27 root nobody 16384 Mar 11 14:59 public_html/` it needs to be nobody as group, it was preconfigured likes this and if i change *the group* to myuser and permission 750 then i will get a ` (13)Permission denied: /home/myuser/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable` even though `.htaccess` has permission 644 – Toskan Mar 14 '16 at 17:22
while it's certainly not optimal to give public_html o+x it is certainly better than what I had. Maybe is there a way i can move fix `.htaccess`? but i wouldn't know how – Toskan Mar 14 '16 at 17:23
You can remove .htaccess altogether by using apache config `AllowOverride none`. See https://httpd.apache.org/docs/current/mod/core.html#accessfilename and https://httpd.apache.org/docs/current/mod/core.html#allowoverride. I can't comment on whether this is a good idea for you. – Chris Lear Mar 14 '16 at 17:32

suPHP causing error for directory ownership

1 Answers1