Best practice for DSO (mod_php) handler

Game Over!

Verified User
Joined
Jan 19, 2018
Messages
13
I read this article about PHP handlers.

I use "suPHP" for my sharing hosting always but my friend has a website and bought a VPS for that. I installed PHP 7.3 with mod_php . His website has been hacked recently and I cleaned that but I couldn't find the vulnerability and I think it's still vulnerable. Of course I installed CSF+WAF+CXS and other security staffs.

Now recently I figured out many of files don't work fine and they face error:
Warning : failed to open stream. permission denied in path/to/file.php line X
Meanwhile the file permission is 644 and folder permission is 755
So I changed the folder permission and set it to 757 or 777 and now scripts work fine but I just wanna know what is best practice for it?
Because I know 444, 666, 777 are so dangerous and I really don't wanna they hack again.

So what should I do know? is there anything to fix permissions like "SuPHP" ? Should I change handler to "suPHP" ? Is mod_php my best choice?
  • Centos 7x64
  • Latest DA
  • Opencart as main website
  • Wordpress as blog
  • PHP 7.3
  • mod_php
  • CSF
  • CXS
  • ComodoWAF
  • Mod_Security
  • secure_php : Yes
  • htscanner : No
  • suhosin : Yes
  • mod_ruid2 : No
Thanks in advance
 
I never like world writable files and directory's with plain mod_php.
Imho with mod_php it's best is to set files back to 644 and all folders back to 755 and then use mod_ruid2 for security.
 
I never like world writable files and directory's with plain mod_php.
Imho with mod_php it's best is to set files back to 644 and all folders back to 755 and then use mod_ruid2 for security.
Thank you for your reply dear Richard.
I know best recommendation is 644 for all files and 755 for all directories . I also read this article and read the source of "set_permissions.sh" from "/usr/local/directadmin/scripts"
set_domaindir()
{
if [ "$1" = "" ]; then
log "***Warning empty domainname string***"
show_help
return
fi
if [ "$2" = "" ]; then
USERN=`get_domain_user $1`
if [ "$USERN" = "" ]; then
log "***Warning cannot get user for domain $1***"
return
fi
else
USERN="$2"
fi
HOMEDIR=`getent passwd "$USERN" | cut -d: -f6`;
DOMAINDIR="${HOMEDIR}/domains/${1}"
if [ ! -e $DOMAINDIR ]; then
log "cannot find $DOMAINDIR : skipping";
return;
fi
log "Directories found, setting permissions for ${DOMAINDIR}/public_html and private_html"
if [ -d "${DOMAINDIR}/public_html" ]; then
chown -R ${USERN}:${USERN} "${DOMAINDIR}/public_html/"
find "${DOMAINDIR}/public_html/" -type d -exec chmod 755 {} \;
find "${DOMAINDIR}/public_html/" -type f -exec chmod 644 {} \;
fi
if [ -L "${DOMAINDIR}/private_html" ]; then
chown -h ${USERN}:${USERN} "${DOMAINDIR}/private_html"
elif [ -d "${DOMAINDIR}/private_html" ]; then
chown -R ${USERN}:${USERN} "${DOMAINDIR}/private_html/"
find "${DOMAINDIR}/private_html" -type d -exec chmod 755 {} \;
find "${DOMAINDIR}/private_html" -type f -exec chmod 644 {} \;
fi
}

But as I said before I'm facing many error and warning while running PHP scripts. So I wanna know is there any way to avoid changing permissions to 757 or 777 to running scripts fine? Because I had to change them to 777 or 757 to they work fine.
Am I missed something during installing handlers? or CB? or what?

Thanks in advance
 
But as I said before I'm facing many error and warning while running PHP scripts. So I wanna know is there any way to avoid changing permissions to 757 or 777 to running scripts fine? Because I had to change them to 777 or 757 to they work fine.
Like I said. Use mod_ruid2 as handler with mod_php. Then you do not have to use 777 or 757. ;)
You did not use php-fpm but mod_php, so then you should best use mod_ruid2 which is not enabled, I think youmissed that one.

First enable mod_ruid2, then use the rewrite_confs command and after that maybe the set_permissions.sh but take into consideration that files and directory which are in public_html and furter (so your webspace) you probably have to put back manually to 644 and 755 for files and dirs.
 
Just to be sure:
Code:
cd /usr/local/directadmin/custombuild/
./build update
./build set mod_ruid2 yes
./build mod_ruid2
./build rewrite_confs

Oh even better, found a full page with permissions. Made by Zeiter.
 
Back
Top