FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 06-24-2013, 09:58 AM
Thomas Goirand
 
Default advice request for shared hosting and security issue

On 06/24/2013 01:58 PM, Marek Podmaka wrote:
> As for minimum you should set open_basedir restriction, that should
> prevent internal php functions to read other files.

Excuse me to say it this way but ... NO !!!

Seriously, open_basedir has been deprecated for *years* now, and is
totally removed from latest versions. Also, just have a look into
/usr/share/doc/php5/README.Debian.security:

Most specifically, the security team will not provide
support for flaws in:

[...]

- vulnerabilities involving any kind of safe_mode or open_basedir
violation, as these are security models flawed by design and no longer
have upstream support either.

> But of course it
> won't help if they will use system utilities viac exec()/system() php
> calls. You can disable these functions in php using the suhosin
> extension (maybe also the backtick function/operator can be disabled).
> And enable exec only for vhosts (or individual scripts) which need
> them. It's not bulletproof, but better than nothing.

Disabling functions is *not* the way to go. Not only what you wrote
isn't bulletproof, but it is also a completely wrong and dangerous
advice, in my opinion, and it's even worse than nothing: it may give the
impression that things are safe, when they are not, especially if you
enable some exec functions for some sites.

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C8184D.70400@debian.org">http://lists.debian.org/51C8184D.70400@debian.org
 
Old 06-24-2013, 11:12 AM
Oğuz Yarımtepe
 
Default advice request for shared hosting and security issue

On Mon, Jun 24, 2013 at 11:37 AM, Thomas Goirand <zigo@debian.org> wrote:

Hi,



Hi,
*
Outch! Don't do that. dotdeb has, and I believe still is, a source of

troubles, with 2nd grade quality packages. You will have issues

upgrading. You will have bugs.



Yes, i learned it by experience.
*


I don't use php-fpm here. I use SBOX (which I both maintain as upstream

and as a Debian package). This is a cgi-bin wrapper. I use aufs to

provide a template for every site, so that I don't have too much

duplication. SBOX is in use using AddHandler & Action directive of

Apache. As I don't want to have my users write these in a .htaccess (and

therefore, bypass my security and the chroot), I have backported the

AllowOverrideList option of Apache 2.4 into Apache 2.2.

I haven't heard the SBOX wrapper.
*



All this works great so far. Every site is chrooted, and can benefits

from having a full system environment which I maintain using apt, though

each site can also customize the php.ini and so on. The only problem I

have is that AUFS isn't very stable, and sometimes crashes the whole

system (maybe about once a month or so...). Let's hope we have soon a

better union filesystem to work with.*


If you need more info on how I do all of the above (like where to get

the packages and how to do the setup), let me know.



If there is an howto for a sample vhost, it would be great.
*

Cheers,



Thomas




Cheers.




--
Oğuz Yarımtepe
http://about.me/oguzy
 
Old 06-24-2013, 02:38 PM
Thomas Goirand
 
Default advice request for shared hosting and security issue

On 06/24/2013 02:14 PM, Oğuz Yarımtepe wrote:
>
>
>
> On Mon, Jun 24, 2013 at 12:37 AM, Darryl Ware <darryl.ware@gmail.com
> <mailto:darryl.ware@gmail.com>> wrote:
>
> Would apparmor be of any use in this instance?
>
>
> I solved this isseu by completely removing php-fpm and fastcgi and just
> using mod_php. Added php_admin_value open_basedir path fr each vhost.

Great, you now have a security hole, using a deprecated directive, which
is removed in the current stable version of PHP!

> Everything is fine for now.

Until a hacker has a go with your server...

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C859C8.1050503@debian.org">http://lists.debian.org/51C859C8.1050503@debian.org
 
Old 06-24-2013, 02:40 PM
Thomas Goirand
 
Default advice request for shared hosting and security issue

On 06/24/2013 05:45 PM, crispy wrote:
> On 24/06/13 16:37, Thomas Goirand wrote:
>> I don't use php-fpm here. I use SBOX (which I both maintain as upstream
>> and as a Debian package). This is a cgi-bin wrapper. I use aufs to
>> provide a template for every site, so that I don't have too much
>> duplication. SBOX is in use using AddHandler & Action directive of
>> Apache. As I don't want to have my users write these in a .htaccess (and
>> therefore, bypass my security and the chroot), I have backported the
>> AllowOverrideList option of Apache 2.4 into Apache 2.2.
>>
>> All this works great so far. Every site is chrooted, and can benefits
>> from having a full system environment which I maintain using apt, though
>> each site can also customize the php.ini and so on. The only problem I
>> have is that AUFS isn't very stable, and sometimes crashes the whole
>> system (maybe about once a month or so...). Let's hope we have soon a
>> better union filesystem to work with.
>>
>> If you need more info on how I do all of the above (like where to get
>> the packages and how to do the setup), let me know.
>>
>> Cheers,
>>
>> Thomas
>>
>>
> I would like to know more about how you have built this setup. Do you
> have it documented somewhere?

That's part of my control panel called DTC. You can have a try. Even if
you don't like the panel, you can still try it, and see how SBOX is in
use. It includes a script to setup the chroot template.

You can read about SBOX over here:
http://dtcsupport.gplhost.com/PmWiki/SBOXAndDTC

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C85A75.3050604@debian.org">http://lists.debian.org/51C85A75.3050604@debian.org
 
Old 06-24-2013, 02:50 PM
Thomas Goirand
 
Default advice request for shared hosting and security issue

On 06/24/2013 07:12 PM, Oğuz Yarımtepe wrote:
> If there is an howto for a sample vhost, it would be great.

Here's an example vhost:

<VirtualHost 1.2.3.4:80>
ServerName www.example.com
DocumentRoot /var/www/example.com/subdomains.aufs/www/html
ScriptAlias /cgi-bin /usr/lib/cgi-bin
php_admin_flag engine off
AddHandler php-cgi-wrapper .php
Action php-cgi-wrapper /cgi-bin/sbox
AddHandler python-cgi-wrapper .py
Action python-cgi-wrapper /cgi-bin/sbox
AddHandler ruby-cgi-wrapper .rb
Action ruby-cgi-wrapper /cgi-bin/sbox
AddHandler ruby-cgi-wrapper .pl
Action ruby-cgi-wrapper /cgi-bin/sbox
ErrorDocument 404 /sbox404/404.php
ErrorDocument 400 /sbox404/406.php
ErrorDocument 406 /sbox404/406.php
ErrorDocument 500 /sbox404/406.php
ErrorDocument 501 /sbox404/406.php
Options +ExecCGI
</VirtualHost>

As you can see, mod_php is completely disabled (since it is going to use
the CGI version inside the vhost chroot).

Then you would mount /var/www/example.com/subdomains.aufs/www this way:

mount -t aufs -o
br:/var/www/sites/example.com/subdomains/www=rw:/path/to/your/template=ro
none /var/www/sites/example.com/subdomains.aufs/www

You can see how to populate the template over here:
http://git.gplhost.com/gitweb/?p=dtc.git;a=blob;f=admin/create_sbox_bootstrap_copy;h=be51f47c40180079dde1f 842f36d3f315e24bd2e;hb=3a2f4c82259e986aac4ed6b9108 8b5d6c321a72d

and here:
http://git.gplhost.com/gitweb/?p=dtc.git;a=blob;f=admin/update_sbox_bootstrap_copy;h=1e02fb47fc64d802b8295 6021fac6d8d600c9af5;hb=3a2f4c82259e986aac4ed6b9108 8b5d6c321a72d

My patch for apache (for the AllowOverrideList support in Apache 2.2) is
available over here:
http://archive.gplhost.com/debian/pool/squeeze/main/a/apache2/

Note that it should be possible to use SBOX together with php-fpm, but I
haven't tried. Also, only php, perl, python and ruby scripts will be
executed by the wrapper, other types of content (image, html, css, etc.)
will use Apache normally, which is great for performances.

Cheers,

Thomas Goirand (zigo)


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C85C9D.2040806@debian.org">http://lists.debian.org/51C85C9D.2040806@debian.org
 
Old 06-24-2013, 03:29 PM
Matus UHLAR - fantomas
 
Default advice request for shared hosting and security issue

On 06/24/2013 02:14 PM, Oğuz Yarımtepe wrote:

I solved this isseu by completely removing php-fpm and fastcgi and just
using mod_php. Added php_admin_value open_basedir path fr each vhost.


On 24.06.13 22:38, Thomas Goirand wrote:

Great, you now have a security hole, using a deprecated directive, which
is removed in the current stable version of PHP!


When was open_basedir deprecated? I see that safe_mode is deprecated, but
not the open_basedir...

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20130624152958.GB19436@fantomas.sk">http://lists.debian.org/20130624152958.GB19436@fantomas.sk
 
Old 06-24-2013, 05:37 PM
Thomas Goirand
 
Default advice request for shared hosting and security issue

On 06/24/2013 11:29 PM, Matus UHLAR - fantomas wrote:
>> On 06/24/2013 02:14 PM, Oğuz Yarımtepe wrote:
>>> I solved this isseu by completely removing php-fpm and fastcgi and just
>>> using mod_php. Added php_admin_value open_basedir path fr each vhost.
>
> On 24.06.13 22:38, Thomas Goirand wrote:
>> Great, you now have a security hole, using a deprecated directive, which
>> is removed in the current stable version of PHP!
>
> When was open_basedir deprecated? I see that safe_mode is deprecated, but
> not the open_basedir...

Ok, probably not. However, open_basedir is *not* something that is
useful in terms of security. Libraries which can be called by PHP still
have access to the full of the filesystem. So yes, you'd be restricting
includes, but that's it, and this is not enough. The solution is a full
chroot for each vhost.

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C883DB.4030403@debian.org">http://lists.debian.org/51C883DB.4030403@debian.org
 
Old 06-25-2013, 11:32 AM
Matus UHLAR - fantomas
 
Default advice request for shared hosting and security issue

On 06/24/2013 11:29 PM, Matus UHLAR - fantomas wrote:

On 06/24/2013 02:14 PM, Oğuz Yarımtepe wrote:

I solved this isseu by completely removing php-fpm and fastcgi and just
using mod_php. Added php_admin_value open_basedir path fr each vhost.


On 24.06.13 22:38, Thomas Goirand wrote:

Great, you now have a security hole, using a deprecated directive, which
is removed in the current stable version of PHP!


When was open_basedir deprecated? I see that safe_mode is deprecated, but
not the open_basedir...


On 25.06.13 01:37, Thomas Goirand wrote:

Ok, probably not. However, open_basedir is *not* something that is
useful in terms of security. Libraries which can be called by PHP still
have access to the full of the filesystem. So yes, you'd be restricting
includes, but that's it, and this is not enough. The solution is a full
chroot for each vhost.


the open_basedir will protect us against malicious scripts trying to scan
filesystem over protected area.

Of course, if there's something in PHP (as curl module some years ago), it's
problem of the module.

even chroot() won't protect us against kernel bugs, but does that mean we
should use virtualization instead?

So, I understand things like open_basedir as another step in security, made
by PHP...

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20130625113238.GB17348@fantomas.sk">http://lists.debian.org/20130625113238.GB17348@fantomas.sk
 
Old 06-25-2013, 07:54 PM
Thomas Goirand
 
Default advice request for shared hosting and security issue

On 06/25/2013 07:32 PM, Matus UHLAR - fantomas wrote:
> Of course, if there's something in PHP (as curl module some years ago),
> it's problem of the module.
>
> even chroot() won't protect us against kernel bugs, but does that mean we
> should use virtualization instead?

Of course yes!!!

And also if there's really no choice but to leave multiple sites/users
on the same server (the only valid reason is in fact costs), then using
the GR security types of kernel is a good idea too (if you have the time
to maintain your own kernel build), so that a kernel bug has some
chances to be mitigated.

> So, I understand things like open_basedir as another step in security, made
> by PHP...

I believe you understand wrongly. It's to limit the include directive
and such, but that's it. It is in no way something you should trust to
do compartmentalization of users on a shared hosting server. You also
would have to drastically disable some functions (exec(), passthrough()
and friends, with btw a good chance that you will forget some of
them...) but really that isn't the solution either.

BTW, why do you think the text which I quoted went into the doc folder
of PHP in Debian?

Anyway, feel free not to trust both me, the PHP maintainers in Debian,
and ... the rest of the world! But one day, a site will get hacked
(that's normal...), and that as a consequence of your bad practices, all
of your server content will dies (that isn't...). Let's hope this never
happens to you.

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C9F575.6090404@debian.org">http://lists.debian.org/51C9F575.6090404@debian.org
 

Thread Tools




All times are GMT. The time now is 08:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org