Best Practices for Script and Code Permissions
Last modified: 2025 September 23
Overview
Running code as a user other than the code or script’s owner can create serious security vulnerabilities.
In cPanel & WHM version 132, we updated the permissions on the /etc/trueuserowners
file to prevent it from being world-readable. This change prevents code that runs as other users from reading this file, which may also cause error messages when some cPanel-provided CGI scripts try to access it. Modern web applications should always run as the user who owns the file.
What errors could I see?
With the /etc/trueuserowners
file permissions locked down, you may see some errors.
Some CGI scripts may run as the nobody
user. This will cause incorrect contact information to display on the default CGI pages configured in WHM’s Web Template Editor interface (WHM » Home » Account Functions » Web Template Editor).
You might also see the following error message in your Apache error_log
file:
[SCRIPT-NAME] /etc/trueuserowners is not readable as nobody
Why shouldn’t I run code as other users?
When you run code as other users, the following can happen:
- You can accidentally escalate privileges. If the
root
user runs a script that theexample
user owns, then theexample
user will gain access toroot
privileges. - Files that the script accesses must be world-readable because the
example
user can’t read user-owned files unless you grant it explicit permission.
While this practice used to be common, it is no longer recommended.
What you should do instead
We strongly recommend that you only run code as the user that owns the code. We recommend that you set any files that you do not want to be world-readable to use either 640
or 750
(or even more restrictive) permissions. This will prevent privilege escalation and lock permissions to the proper user.
For more information about file permissions, read Wikipedia’s file-system permissions article.
If you receive error messages about this issue or your CGI scripts return the wrong information, change the permissions on the files with the chmod
command.
You can also read our Troubleshooting Guide for Perl and CGI Scripts documentation.
EasyApache best practices
EasyApache 4 runs Podman services and Passenger applications as the user that owns the file.
In EasyApache 4, some handlers will not run scripts as the user or will depend on which handler you use with them.
CGI scripts will run as the user if you use the following handlers: suexec
, ruid2
, or ITK
.
PHP scripts all run as the user, but have the following limitations:
suexec
requires your PHP version to use either thecgi
orlsapi
PHP handler. If you do not have one of these handlers installed, it runs as thenobody
user.suphp
requires that your PHP versions usessuphp
and requires that you also installsuexec
. If you do not have one of these handlers installed, it runs as thenobody
user.- ITK requires that your PHP version uses the PHP-FPM handler. If you do not have this handler installed, it runs as the
nobody
user. - PHP-FPM and Ruid2 always run PHP scripts as the user.
For more information about handlers, read our PHP Handlers documentation.