PHP might be running as a privileged group

rscalover

• December 11, 2014 09:02

Hello, this is what i get from phpsecinfo .vB Looking at value 10 that's the wheel group users in this group can use the "su -" command to get a root prompt.The error does not disappaer if u remove the user from the wheel group.That error is annoying anything i can do to make it disappaer ?.

• 

  cPanelMichael

  • December 11, 2014 14:24

  Hello :) Could you let us know which PHP handler (e.g. DSO, suPHP) is enabled on your system? Thank you.

  0
• 

  rscalover

  • December 11, 2014 15:53

  ]Hello :) Could you let us know which PHP handler (e.g. DSO, suPHP) is enabled on your system? Thank you.

  
  suPHP with suEXEC enabled i disabled fastcgi again because i whas getting allot of emails from csf about high resource usage.

  0
• 

  cPanelMichael

  • December 11, 2014 18:36

  ]That error is annoying anything i can do to make it disappaer ?.

  
  You may want to post to the PHPSecInfo mailing list to report this issue to them or to have them better identify specific instances where it may not be an actual security problem. Thank you.

  0
• 

  quizknows

  • December 11, 2014 21:47

  Was a user id that PHP runs as in the wheel group? If so that's not a good sign IMO, unless you were running the site under an account that you had knowingly granted that privilege to. Also how are you accessing phpsecinfo? Under what user or document root are you calling it? I tried it under a SuPHP user with SuEXEC and I do not get the privileged GID warning.

  0
• 

  rscalover

  • December 12, 2014 09:01

  ]Was a user id that PHP runs as in the wheel group? If so that's not a good sign IMO, unless you were running the site under an account that you had knowingly granted that privilege to. Also how are you accessing phpsecinfo? Under what user or document root are you calling it? I tried it under a SuPHP user with SuEXEC and I do not get the privileged GID warning.

  
  I granted that permission (the wheel group thing) i call phpsecinfo like this domain.com/phpsecinfo/index.php the strange thing is the warning does not disappaer if i remove the involved user from the wheel group also i don't get a warning about the user running PHP.If it works with no warning on your end then there must be something wrong on my end i will find out i think CloudLinux (CageFS and such) have something todo with it. I just noticed the index.php file is just an example howto call that system jeesus sorry for being ignorant about this my suphp_log shows the correct UID and GID values [Fri Dec 12 12:57:11 2014] [info] Executing "/home/username/public_html/phpsecinfo/index.php" as UID 504, GID 505
  

  0
• 

  rscalover

  • December 12, 2014 17:22

  Hello, When i disable CageFs for that particular account the error disappaers .vB now the question is why is this happening ? i guess i need to ask cloudlinux support.

  0
• 

  rscalover

  • December 14, 2014 20:46

  hi, Problem solved :D after i removed the involved user from the wheel group using the usermod command it whas still saying that user is a member of the wheel group.I scratched my head and turns out CageFs has it's own group and passwd files and you need to edit them (only group file in this case) after that you need to run as root cagefsctl --force-update-etc username
  just posting in case anybody has the same problem.

  0
• 

  cPanelMichael

  • December 15, 2014 18:19

  I am happy to see you were able to address the issue. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.