miguel.filipe at gmail
Dec 23, 2004, 2:45 PM
Post #2 of 3
(486 views)
Permalink
|
|
Re: [gentoo-server] about php security.. big apache+php deploy
[In reply to]
|
|
Hi all,
On Thu, 23 Dec 2004 12:56:57 -0700, Chris Schwerdt
<Chris.Schwerdt [at] psi-cu-software> wrote:
> With the www user running PHP it is possible for scripts to have
> read-access to all vhosts and files.
the config file is owned by root, it's read by the first apache
process, which takes care of config file and logging..it's not www,
nor world readable.
> I believe it to be a much larger
> security risk as a hole in any vhost allows for the compromise of many
> users. Also, local users have access to other users PHP scripts, which
> usually contain DB passwords and other private information. I HIGHLY
> recommend using suPHP in any sort of virtual hosting environment.
>
1) We have few (3 vhosts) which are public, and known, knowing about
them is not a problem.
2) users are informed that they should use ACLs for web content
(giving access to www only instead of world)
3) users are warned that password should allways be kept cripted, and
they are responsible for correctly setting the permissions of their
files, and that they share a common machine, having world readable
permissions is BAD.
Also, the problems of a break in on a user acount, are much higher:
access to all files and mail, possibility of installing loggers,
personification, etc.. not only world readable file with sensitive
information (which is the users fault).
> Safe mode is widely viewed as a hack and causes many PHP scripts to
> become non-functional.
>
widely viewed has a hack? by whom? and most importantly why?
Safe mode isn't 100% safe, obviously, and it just sets a more
restrictive environment for the programmer.
It might brake some scripts, yes, since we are reducing the funcionality of php
in some ways that we consider might be problematic.
The users should take care to make shure their scripts/code does what
they want without using funcionality that we are removing. I know
that, and I assume totally that possible breakage.
OTOH, suphp has escalated priveleges during its execution, and if
anything goes wrong in that timespan.. BANG -> "bow before me, for I
am root".
look at this:
http://www.securityfocus.com/archive/1/372673
http://www.google.pt/search?q=cache:qT4J5NZLLMkJ:lists.marsching.biz/pipermail/suphp/2004-August/000814.html+suphp+exploit&hl=pt-PT&client=firefox
http://www.securityfocus.com/bid/11020
the setuid bit is widely viewed has a hack and the big security
problem in the UNIX architecture.
suexec is also a hack, a necessary one, apache guys advise against its
use, and say that they cannot warrantie its safe.
All suids are a problem because of that, nobody can assure that's
bug-free and not exploitable.
ALL SUID ARE IN ESSENCE ESCALATION OF PRIVELEGES.
A few AIX local root exploit came out these last weeks, in which only
setting a environment variable in a given way would give you root. too
many things influence the behavior of one aplication. one should run
then with the minimum necessary priveleges..
thank you for your advice, but I think suphp is a wrong aproach.
> > -----Original Message-----
> > From: Miguel Filipe [mailto:miguel.filipe [at] gmail]
> > Sent: Thursday, December 23, 2004 12:49 PM
> > To: gentoo-server [at] lists; Michael Stewart;
> > gentoo-security [at] lists
> > Subject: Re: [gentoo-server] about php security.. big
> > apache+php deploy
> >
> > Hi there,
> > About using php has a cgi, i've considered that but:
> >
> > The www user is pretty locked down, much more than a regular
> > user, that can ssh, ftp, use mail etc...
> > using cgi will allow intruders to break into a student
> > acount, were they can do more damage that whith the www user.
> >
> > Also, its harder to audit and monitor 6000 possible user
> > acount break ins, than a www breakin.
> >
> > we also don't use vhosts, we use user_dir and were trying to
> > see if we can use that with:
> > open_basedir
> > upload_tmp_dir
> > safe_mode_exec_dir
> > tell me more *dir variables that may be handy. :)
> >
> > Best Regards,
> >
> > On Wed, 22 Dec 2004 09:28:57 -0800, Michael Stewart
> > <vericgar [at] gentoo> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Miguel Filipe wrote:
> > > | Hi there,
> > > |
> > > | To put things simple, I'm a bit worried with php, here's why:
> > > |
> > > | I don't know SHIT about securing php instalations...
> > > | I've read about hardened-php, and I wondered if someone
> > uses it, and
> > > | how reliable and intrusive they are ( false positives interest me
> > > | especially).
> > > | Also I would like to receive input from mod_security users...from
> > > | what I understood, if that's enabled, then in a php forum
> > I cannot
> > > | write/quote SQL code in my posts... (sql injection prevention..)
> > > |
> > > | The problem is a big server, 6000 acounts with
> > > | apache+suexec+user_dir+php, on a solaris machine.
> > > | I plan to try changing config options and security settings so it
> > > | becomes a bit more hardened.
> > > |
> > > |
> > > | Any advices are welcome.
> > > |
> > > | ps: don't "advice" me to close the server, deny
> > funcionality, etc,
> > > | these won't do... the server exists, has the acounts and I got to
> > > | live with it...
> > > |
> > >
> > > PHP can be difficult to secure in a multi-user environment. There's
> > > safe_mode, but that can be too restrictive at times and
> > IIRC has some
> > > ways around it.
> > >
> > > If you were doing vhosts instead of user_dirs (i.e.
> > > username.example.com instead of example.com/~username) you
> > could use
> > > open_basedir to keep them from opening or creating any file outside
> > > their $HOME. Though with 6000 users that could get tedious to
> > > maintain, though that could be scripted as well. If you do go this
> > > route, make sure to set a tmpdir that is under the open_basedir so
> > > that they can still make use of file uploads.
> > >
> > > You can also setup PHP in CGI mode, though that has some caveats as
> > > well (have to put the path to PHP as the first line of the script,
> > > though I think there's a way around this as well), but once
> > you get it
> > > working, the php script can run under suexec and so as the user
> > > instead of as the webserver. Though there is a performance hit when
> > > you do it that way as well. But with 6000 users, I don't
> > think you are
> > > worried to much about web-scripting performance.
> > >
> > > - --
> > > Michael Stewart
> > vericgar [at] gentoo
> > > Gentoo Developer
> > http://dev.gentoo.org/~vericgar
> > >
> > > GnuPG Key ID 0x08614788 available on http://pgp.mit.edu
> > > - --
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.6 (GNU/Linux)
> > >
> > > iD8DBQFBya7Y3v7BtghhR4gRAnQgAJ4uXfhgV0ON1KljZjxY1vRtIHYVhwCffSq0
> > > 54lxLOqbxcQgV1LocQpQguY=
> > > =vTyw
> > > -----END PGP SIGNATURE-----
> > >
> >
> >
> > --
> > Miguel Sousa Filipe
> >
>
--
Miguel Sousa Filipe
--
gentoo-security [at] gentoo mailing list
|
