PHP CGI to PHP CLI

Do you use?

  • php-cgi

    Votes: 2 22.2%

  • php-cli

    Votes: 7 77.8%

  • suhosin

    Votes: 0 0.0%
  • Total voters
    9
W

wtfbrb

Verified User
Joined
Oct 11, 2009
Messages
71
Ok, quick question I believe everything is up to date on my signature as far as build info...

I have started using magento and it seems to absolutely hate php-cgi, I tried many work arounds and just sick of it. So I changed options.conf to php5-cli=yes and php5-cgi=no then ran ./build php this worked like a charm for magento, but my permissions are all wrong for the rest of my users.

I believe I have fixed this while keeping everything secure...let me know though if I am wrong.

I did chown -R apache:da_user ./public_html
in each users home directory. Seems to work just want to make sure I am ok with security as I have had my server hacked 3 times in the last 2 weeks.

  1. How can I fix permissions/owners?
  2. Is cli less safe than cgi? (Can't find anyone really claiming that on google...)
  3. Will DA create new users with correct permissions/owners?
 
Last edited:
I wanted GCI on a new server but there were a few issues:

1. most scripts acted oddly;
2. ability not to use the php_value flags in the httpd.conf's (at all) and .htaccess (unless you compile an add-on);
3. the php mail() command failing to use a custom Return-Path.

so sadly I went back to CLI/mod_php :(
 
I did chown -R apache:da_user ./public_html
Click to expand...

Very bad. Now anybody on the server can change everybody's files. You just made your server extremely insecure.

Don't do something and then ask if it is secure. Ask first and then take action.
 
Uh oh

I actually asked, then came back and edited with what I did as I needed to get everything up and running. So what do I need to do in order to get the permissions right for cli? chown seemed better than chmod as far as a security for a temp fix...
 
Code: 
chown -R da_user:da_user /home/da_user/domains/*/public_html

Then let the individual users chmod 777 the individual files and directories they need it for. Then only those files are insecure. They can do this with File Manager or their ftp program. What you did was make all the files insecure.
 
Could I butt in and ask a related question....... Say we wanted to change to CGI from CLI...... I would guess that I, the server admin, would need to chown all the user's files back to them if any were created by apache (using the command floyd posted), but would I need to chmod the files to 644 or can I leave some at 777/666/etc?
 
Running as CGI then the process user is the username instead of apache so yes chown the files to the username and 755 or whatever as long as the the last number is not 6 or 7.
 
Helpful hint...

This is what I've run in most of my /home/user/domains folder to make sure everything is set properly.

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

you may want to go through and chmod 444 on your config files for scripts like joomla and magento.
 
wtfbrb said:
you may want to go through and chmod 444 on your config files for scripts like joomla and magento.
Click to expand...
Have you come accross any scripts that chuck a fit? I had a few, they're probably old ones.

Also, is it official that CGI limited to a static Return-Path (to the server's default rDNS/server name) if the mail() function is used?
 
You must log in or register to reply here.
Back
Top