FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 06-23-2013, 11:48 AM
Oğuz Yarımtepe
 
Default advice request for shared hosting and security issue

Hi,

I have a Debian Squeeze web server running PHP-FPM, fastcgi with apache2. I used dotdeb sources to install php-fpm and fastcgi. There are many vhosts defined on them, each has their own pool configuration and working without problems.


My current problem is about the PhpSpy program. It is a PHP file that runs dir, chdir, readdir commands and let the user traverse the file system and read files. I couldn't figured it out a solution for it.


I used chroot option at the pool configuration which didn't worked. It seems there is a but with Apache2 and Fastcgi usage. I enabled suexec also which didn't helped.

I can try to disable opendir, chdir commands globally then some php files under vhost directories will be broken.


What is the solution? Should i set chroot? If so how? Any working combination will be great for Debian Squeeze.

I will be appreciated if there is an easier solution also.

Below include the detail conf files and my question i asked to stackoverflow:

http://stackoverflow.com/questions/17251170/php-fpm-is-not-working-as-expected

Will be great if someone help.


Cheers.
--
Oğuz Yarımtepe
http://about.me/oguzy
 
Old 06-23-2013, 12:14 PM
Matus UHLAR - fantomas
 
Default advice request for shared hosting and security issue

On 23.06.13 14:48, Oğuz Yarımtepe wrote:

I have a Debian Squeeze web server running PHP-FPM, fastcgi with apache2. I
used dotdeb sources to install php-fpm and fastcgi. There are many vhosts
defined on them, each has their own pool configuration and working without
problems.

My current problem is about the PhpSpy program. It is a PHP file that runs
dir, chdir, readdir commands and let the user traverse the file system and
read files. I couldn't figured it out a solution for it.

I used chroot option at the pool configuration which didn't worked. It
seems there is a but with Apache2 and Fastcgi usage. I enabled suexec also
which didn't helped.

I can try to disable opendir, chdir commands globally then some php files
under vhost directories will be broken.

What is the solution? Should i set chroot? If so how? Any working
combination will be great for Debian Squeeze.

I will be appreciated if there is an easier solution also.



I have tried to avoid something like this by using PHP compiled without
modules like posix,pcntl (maybe others?) and building special chroot that
only contained binaries of apache, php, used modules, and required
libraries. It required small /dev (containing zero, null, urandom), small
/etc (containing stripped pasword, group and some others) and system with
/only a few libraries and directories.

It's doable but quite a pain to maintain.

other possibility is to use something similar to linux vservers with only
needed things built in.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20130623121439.GA20385@fantomas.sk">http://lists.debian.org/20130623121439.GA20385@fantomas.sk
 
Old 06-23-2013, 09:37 PM
Darryl Ware
 
Default advice request for shared hosting and security issue

Would apparmor be of any use in this instance?

On 23/06/2013, at 10:24 PM, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:

> On 23.06.13 14:48, Oğuz Yarımtepe wrote:
>> I have a Debian Squeeze web server running PHP-FPM, fastcgi with apache2. I
>> used dotdeb sources to install php-fpm and fastcgi. There are many vhosts
>> defined on them, each has their own pool configuration and working without
>> problems.
>>
>> My current problem is about the PhpSpy program. It is a PHP file that runs
>> dir, chdir, readdir commands and let the user traverse the file system and
>> read files. I couldn't figured it out a solution for it.
>>
>> I used chroot option at the pool configuration which didn't worked. It
>> seems there is a but with Apache2 and Fastcgi usage. I enabled suexec also
>> which didn't helped.
>>
>> I can try to disable opendir, chdir commands globally then some php files
>> under vhost directories will be broken.
>>
>> What is the solution? Should i set chroot? If so how? Any working
>> combination will be great for Debian Squeeze.
>>
>> I will be appreciated if there is an easier solution also.
>
>
> I have tried to avoid something like this by using PHP compiled without
> modules like posix,pcntl (maybe others?) and building special chroot that
> only contained binaries of apache, php, used modules, and required
> libraries. It required small /dev (containing zero, null, urandom), small
> /etc (containing stripped pasword, group and some others) and system with
> /only a few libraries and directories.
>
> It's doable but quite a pain to maintain.
>
> other possibility is to use something similar to linux vservers with only
> needed things built in.
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> He who laughs last thinks slowest.
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20130623121439.GA20385@fantomas.sk
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/-7365347615266111194@unknownmsgid
 
Old 06-24-2013, 05:58 AM
Marek Podmaka
 
Default advice request for shared hosting and security issue

Hello,

>> On 23.06.13 14:48, Oğuz Yarımtepe wrote:
>>> My current problem is about the PhpSpy program. It is a PHP file that runs
>>> dir, chdir, readdir commands and let the user traverse the file system and
>>> read files. I couldn't figured it out a solution for it.

As for minimum you should set open_basedir restriction, that should
prevent internal php functions to read other files. But of course it
won't help if they will use system utilities viac exec()/system() php
calls. You can disable these functions in php using the suhosin
extension (maybe also the backtick function/operator can be disabled).
And enable exec only for vhosts (or individual scripts) which need
them. It's not bulletproof, but better than nothing.


--
bYE, Marki


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 9642758.20130624075823@marki-online.net">http://lists.debian.org/9642758.20130624075823@marki-online.net
 
Old 06-24-2013, 06:14 AM
Oğuz Yarımtepe
 
Default advice request for shared hosting and security issue

On Mon, Jun 24, 2013 at 12:37 AM, Darryl Ware <darryl.ware@gmail.com> wrote:

Would apparmor be of any use in this instance?

I solved this isseu by completely removing php-fpm and fastcgi and just using mod_php. Added php_admin_value open_basedir path fr each vhost.


Everything is fine for now.

PHP-FPM for Debian is totally messed up for me.* I really wonder what people use for performance and security issues for web server side. Nginx seems to be the next candidate instead of using Apache2 prefork.
 
Old 06-24-2013, 07:38 AM
Adrian Minta
 
Default advice request for shared hosting and security issue

Take a look at "ITK MPM" :
http://mpm-itk.sesse.net/
http://www.debiantutorials.com/running-apache2-virtual-hosts-as-different-users-with-mpm-itk/

It uses more CPU, but each vhost will have its own uid and gid.

--
Best regards,
Adrian Minta


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20130624103817.75651f53@mars
 
Old 06-24-2013, 07:47 AM
Oğuz Yarımtepe
 
Default advice request for shared hosting and security issue

Hi,


On Mon, Jun 24, 2013 at 10:38 AM, Adrian Minta <adrian.minta@gmail.com> wrote:

Take a look at "ITK MPM" :

http://mpm-itk.sesse.net/

http://www.debiantutorials.com/running-apache2-virtual-hosts-as-different-users-with-mpm-itk/




It uses more CPU, but each vhost will have its own uid and gid.



Yes, i've already read them. Performance is important. I should test it first at a low traffic server.

The non-threaded approach doesn't look so good.* Should investigate performance issues and Nginx migration.
 
Old 06-24-2013, 08:37 AM
Thomas Goirand
 
Default advice request for shared hosting and security issue

Hi,

On 06/23/2013 07:48 PM, Oğuz Yarımtepe wrote:
> Hi,
>
> I have a Debian Squeeze web server running PHP-FPM, fastcgi with
> apache2. I used dotdeb sources to install

Outch! Don't do that. dotdeb has, and I believe still is, a source of
troubles, with 2nd grade quality packages. You will have issues
upgrading. You will have bugs.

> My current problem is about the PhpSpy program. It is a PHP file that
> runs dir, chdir, readdir commands and let the user traverse the file
> system and read files. I couldn't figured it out a solution for it.
>
> I used chroot option at the pool configuration which didn't worked. It
> seems there is a but with Apache2 and Fastcgi usage. I enabled suexec
> also which didn't helped.
>
> I can try to disable opendir, chdir commands globally then some php
> files under vhost directories will be broken.
>
> What is the solution? Should i set chroot? If so how? Any working
> combination will be great for Debian Squeeze.
>
> Cheers.

I don't use php-fpm here. I use SBOX (which I both maintain as upstream
and as a Debian package). This is a cgi-bin wrapper. I use aufs to
provide a template for every site, so that I don't have too much
duplication. SBOX is in use using AddHandler & Action directive of
Apache. As I don't want to have my users write these in a .htaccess (and
therefore, bypass my security and the chroot), I have backported the
AllowOverrideList option of Apache 2.4 into Apache 2.2.

All this works great so far. Every site is chrooted, and can benefits
from having a full system environment which I maintain using apt, though
each site can also customize the php.ini and so on. The only problem I
have is that AUFS isn't very stable, and sometimes crashes the whole
system (maybe about once a month or so...). Let's hope we have soon a
better union filesystem to work with.

If you need more info on how I do all of the above (like where to get
the packages and how to do the setup), let me know.

Cheers,

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C8053D.5080006@debian.org">http://lists.debian.org/51C8053D.5080006@debian.org
 
Old 06-24-2013, 08:42 AM
Matus UHLAR - fantomas
 
Default advice request for shared hosting and security issue

On Mon, Jun 24, 2013 at 10:38 AM, Adrian Minta <adrian.minta@gmail.com>wrote:

Take a look at "ITK MPM" :
http://mpm-itk.sesse.net/

http://www.debiantutorials.com/running-apache2-virtual-hosts-as-different-users-with-mpm-itk/

It uses more CPU, but each vhost will have its own uid and gid.


On 24.06.13 10:47, Oğuz Yarımtepe wrote:

Yes, i've already read them. Performance is important. I should test it
first at a low traffic server.

The non-threaded approach doesn't look so good. Should investigate
performance issues and Nginx migration.


The point in ITK security is that processes run with different privileges.
The price is, that they must run as different processes.

I don't know if any system supports multiple threads of the same program
running with different uses prvileges.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20130624084240.GA20737@fantomas.sk">http://lists.debian.org/20130624084240.GA20737@fantomas.sk
 
Old 06-24-2013, 09:45 AM
crispy
 
Default advice request for shared hosting and security issue

On 24/06/13 16:37, Thomas Goirand wrote:

I don't use php-fpm here. I use SBOX (which I both maintain as upstream
and as a Debian package). This is a cgi-bin wrapper. I use aufs to
provide a template for every site, so that I don't have too much
duplication. SBOX is in use using AddHandler & Action directive of
Apache. As I don't want to have my users write these in a .htaccess (and
therefore, bypass my security and the chroot), I have backported the
AllowOverrideList option of Apache 2.4 into Apache 2.2.

All this works great so far. Every site is chrooted, and can benefits
from having a full system environment which I maintain using apt, though
each site can also customize the php.ini and so on. The only problem I
have is that AUFS isn't very stable, and sometimes crashes the whole
system (maybe about once a month or so...). Let's hope we have soon a
better union filesystem to work with.

If you need more info on how I do all of the above (like where to get
the packages and how to do the setup), let me know.

Cheers,

Thomas



I would like to know more about how you have built this setup. Do you
have it documented somewhere?

cheers
Shane


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 51C81540.3040705@2000cn.com.au">http://lists.debian.org/51C81540.3040705@2000cn.com.au
 

Thread Tools




All times are GMT. The time now is 02:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org