Miscellaneous Knowledge

On my cPanel server, I noticed that users where being given the incorrect FQDN (Fully Qualified Domain Name, e.g example.com) for mail.root as the SSL address for the mail server. This is odd, since there is no where to actually configure the SSL host address. After a bit of poking around, it seems it sets the address based upon the address of your SSL cert. In my case, I was using a Wildcard SSL certificate from CACert (free SSL certificates). However, as the certificate was a wildcard certificate, it had no idea what the actual FQDN you wanted was! After purchasing a cheap RapidSSL cert for £10 and installing it, the SSL Host FQDN displayed correctly for users. Plus they won’t get any certificate warnings any more!

SuPHP is an option during compiling PHP to run all scripts under the owner of the folder. Traditionally on shared hosting accounts, PHP scripts are run as “nobody” to prevent them from causing havoc with the system. However, this still leaves a few vulnerabilities where a PHP script from one user might be able to access other user’s files. By running the script as the owner, the Linux user permissions system is correctly invoked – users can only edit and effect their own files.

However, having recently recompiled PHP and Apache on cPanel to enable suexec support, I came across a problem where pages would give an internal server error (Error 500). This was caused by one of the following;

• php_flag in .htaccess
• php_value in .htaccess
• Permissions on PHP scripts not set to 644
• Permissions on public_html folder not set to 771

Due to the nature of suexec, php_flag and php_value will not work! Instead you need to set suPHP_ConfigPath in your htaccess to the path where your own php.ini can be found (Note, this is just the path to php.ini, not the full location of php.ini).

suexec will also not execute any scripts with insecure permissions, such as 777. Set all PHP scripts to 644.

Once you’ve taken into account these issues, your PHP should be running in a more secure fashion. Under cPanel/WHM you can enable suphp by going to the EasyApache option which will recompile PHP and Apache – this is not a task to be taken lightly ensure you know what you are doing before, during and after using EasyApache to recompile PHP and Apache. If after recompiling you encounter errors caused by the above you can temporarily set the PHP handler to dao on cPanel instead of suphp.