Linode.com Forum Forum Index Linode.com Forum
Linode Community Forums
 


PHP virtual host security

Click here to go to the original topic

 
       Linode.com Forum Forum Index -> Linux, Apache, Mysql and PHP (LAMP) Forum
Author Message
Internat



Joined: 17 Aug 2004
Posts: 174
Location: Brisbane, Australia
Posted: Sun Apr 29, 2007 12:20 am    Post subject: PHP virtual host security  
So.. like many other linoders i resell some of my space/bandwith to friends/clients in the form of web/email hosting.

I recently came to relaise that since all files for the www side of virtual hosting are stored under the same user id that i could potentially have a security risk on my hands.. And sure enough after doing some basic testing i did.

basicly via php, my virtual users could include/echo/dowhatever other virtual users files.. This obviously presents a massive secuirty risk, which i have since downgraded slightly by including in everyones virtualhost delcaration "php_admin php_admin_value open_basedir /home/hosting/domain.com/www" which makes php restrict access to the domain.

But it got me thinking a long the lines of obviously there is more to this that i havnt thought of.

Is there an easy way to chroot each virtualhost to itself? I dont particularly want to have another instance of apache per virtualhost either.. But surely there has to be some easy way to secure apache's virtual hosts in this mannor?

Has anyone else come accross this problem and what typically was the way you decided to overcome this?

Thanks!
Back to top  
JDM



Joined: 27 Sep 2006
Posts: 33
Location: Maryland, USA
Posted: Sun Apr 29, 2007 7:21 am    Post subject:  
The only thing I can think of is PHPsuexec, which is explained pretty well here. I'm not sure how to enable it though.
Back to top  
Internat



Joined: 17 Aug 2004
Posts: 174
Location: Brisbane, Australia
Posted: Sun Apr 29, 2007 7:47 am    Post subject:  
unfortunatly phpsuexec isnt going to help me.
Since this is virtual hosting, and all my users are virtual. they have the same UID. that is of the user WebHostingUser (5500). So running phpsuexec isnt going to stop the problem of the users being able to access the same files.

I need a non specific php way of doing it, as there is going to be tomcat(jsp) and propably perl or something simular which is going to mean i need a solution outside of the individual language.

As a last resource, i will run apache and tomcat in a chroot enviroment, and allocate a block of user ids to each of my virtual hosting accounts. Then with the help of solutions like phpsuexec i will restrict it in that..

Truth be told i was just looking for a slightly simpler solution :)
Back to top  
pclissold



Joined: 24 Oct 2003
Posts: 472
Location: Netherlands
Posted: Sun Apr 29, 2007 9:27 am    Post subject:  
Check these out:
PHP Security
Apache + Chroot + FastCGI + PHP FAQ
They both look simpler than your plan B. I think I would favour the second of the two.

Caveat: I only read them, I didn't actually try them - I'm the only user on my Linode. YMMV.
Back to top  
andrews



Joined: 29 Apr 2007
Posts: 2
Posted: Sun Apr 29, 2007 1:21 pm    Post subject:  
Please look at the mod_diffprivs. It allows to have unique uid/gid for each virtual host. But you must configure apache to close his child every time after request.
Back to top  
 
       Linode.com Forum Forum Index -> Linux, Apache, Mysql and PHP (LAMP) Forum
Page 1 of 1