Best Practices for Script and Code Permissions

Last modified: 2025 September 23


Overview

Running code as a user other than the code or script’s owner can create serious security vulnerabilities.

In cPanel & WHM version 132, we updated the permissions on the /etc/trueuserowners file to prevent it from being world-readable. This change prevents code that runs as other users from reading this file, which may also cause error messages when some cPanel-provided CGI scripts try to access it. Modern web applications should always run as the user who owns the file.

What errors could I see?

With the /etc/trueuserowners file permissions locked down, you may see some errors.

Some CGI scripts may run as the nobody user. This will cause incorrect contact information to display on the default CGI pages configured in WHM’s Web Template Editor interface (WHM » Home » Account Functions » Web Template Editor).

You might also see the following error message in your Apache error_log file:

[SCRIPT-NAME] /etc/trueuserowners is not readable as nobody

Why shouldn’t I run code as other users?

When you run code as other users, the following can happen:

  • You can accidentally escalate privileges. If the root user runs a script that the example user owns, then the example user will gain access to root privileges.
  • Files that the script accesses must be world-readable because the example user can’t read user-owned files unless you grant it explicit permission.

While this practice used to be common, it is no longer recommended.

What you should do instead

We strongly recommend that you only run code as the user that owns the code. We recommend that you set any files that you do not want to be world-readable to use either 640 or 750 (or even more restrictive) permissions. This will prevent privilege escalation and lock permissions to the proper user.

For more information about file permissions, read Wikipedia’s file-system permissions article.

If you receive error messages about this issue or your CGI scripts return the wrong information, change the permissions on the files with the chmod command.

You can also read our Troubleshooting Guide for Perl and CGI Scripts documentation.

EasyApache best practices

EasyApache 4 runs Podman services and Passenger applications as the user that owns the file.

In EasyApache 4, some handlers will not run scripts as the user or will depend on which handler you use with them.

CGI scripts will run as the user if you use the following handlers: suexec, ruid2, or ITK.

PHP scripts all run as the user, but have the following limitations:

  • suexec requires your PHP version to use either the cgi or lsapi PHP handler. If you do not have one of these handlers installed, it runs as the nobody user.
  • suphp requires that your PHP versions uses suphp and requires that you also installsuexec. If you do not have one of these handlers installed, it runs as the nobody user.
  • ITK requires that your PHP version uses the PHP-FPM handler. If you do not have this handler installed, it runs as the nobody user.
  • PHP-FPM and Ruid2 always run PHP scripts as the user.

For more information about handlers, read our PHP Handlers documentation.

Additional Documentation