PHP CGI Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

ok, I have come up with an architecture to offer PHP to customers as a CGI, and want to get some opinions to make sure I'm not missing any glaring holes...

I've decided to use suPHP to fork off PHP CGI scripts as the user and group. It seems to work pretty well, and I have tweaked suPHP (i.e. hacked the source) to force a particular GID as the group that is different than the web server group. I have also forced a chroot to a jailed filesystem in which they have access to the php libraries just like they would on a real system.

So here's the gist of it :

1) For arguments sake, lets say that Apache is running as user www and group www. 2) Each user has their own user ID and all files in their directories are group www, allowing apache to serve all of their web data. 3) When suPHP is invoked, it changes the script to user "u1234" and group "www2", and jails the script to /jail 4) Because the user directories are shared across NFS, the users structure (and all other users structures) are also mounted in the /jail 5) Because the users PHP script is running as user "u1234" and group "www2", it has no access to any of the other users data. 6) All directories within a users space are in group "www" and have the group sticky bit turned on, so that any files created will get created with the "www" group and not the "www2" group. This will allow any files the user creates in their own directories to be read by apache. 7) I have created an auto_prepend_file that sets the "session.save_path" ini variable to a local directory within the users account so that session files are not in a place that can be read by anyone else. 8) Safe mode is disabled to allow users to be able to use PHP scripts that need safe mode to be turned off. 9) In the /jail area, all unnecessary binaries have been removed (things like ifconfig, mount, and dev stuff) to make it more secure, but useful binaries were left for scripts to use (things like ls, rm, etc...)

Does anyone see any glaring holes in this model ???

Thanks,

Tim.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux