Hi,
I am trying to set up a site which can run securely on a shared hosting
environment where users have a choice of running PHP scripts using
suexec and FastCGI, or using mod_php and running the scripts as the same
user as the webserver.
My scripts need to read a local file with the database password, and
create files in a directory, and so I would of course like to use the
suexec FastCGI option.
However, I'm struggling to find a way to do this securely, and none of
the tutorials I found anywhere on setting this sort of environment up
seem to address protection from local attackers running as the web
server user.
I have set a local mock-up of how the site will work as follows:
=> Apache with mod_fastcgi, suexec, and mod_access is set up.
=> All site components resides in /home/wwjargon/, with the userdir in
/home/wwjargon/public_html
=> Most of my PHP code is outside of public_html. The only contents of
public_html are:
php.fcgi, which is the following shell script...
#!/bin/bash
export SERVER_SOFTWARE="Just in case"
export PHP_DOCUMENT_ROOT="/home/wwjargon/public_html/"
/usr/bin/php-cgi -c /home/wwjargon/php.ini
meter.php, which controls access to the other PHP files, and
requires them (from outside of public_html).
.htaccess, which sets up redirects and the PHP action like the
following:
RewriteRule .* - [E=METER_SCRIPT:/~wwjargon/meter.php]
RewriteCond %{REQUEST_URI} !/~wwjargon/meter.php
RewriteRule ^(.*)$ %{ENV:METER_SCRIPT}?q=$1 [L,QSA]
Action php-fcgi /php.fcgi
AddHandler php-fcgi .php
This configuration means that serving files works, but it also allows
anyone who has access as the apache user (i.e. all other customers on
the shared hosting) to run arbitrary PHP scripts as my username. Setting
SERVER_SOFTWARE partially closed the hole, but not completely.
As an example of the attack...
$ whoami
www-data
$ cat >/tmp/myscript.php
<?php passthru('whoami >/tmp/compromised.txt');
$ SCRIPT_FILENAME=/tmp/myscript.php
PATH_INFO=/home/wwjargon/public_html/meter.php /usr/lib/apache2/suexec
"~wwjargon" wwjargon php.fcgi
X-Powered-By: PHP/5.2.6-2ubuntu4
Content-type: text/html
$ cat /tmp/compromised.txt
wwjargon
I could make this attack a bit harder by changing the environment
variables in php.fcgi so it would only work for FastCGI and not for
normal CGI, but a more motivated attacker could just write a fake
FastCGI server to attack my script.
Setting PHP_DOCUMENT_ROOT in the environment and doc_root in php.ini
didn't seem to stop the attack (although setting doc_root stops
meter.php working, but not the attack), because PHP still happily serves
up a document from /tmp/myscript.php, and --enable-force-cgi-redirect
doesn't really have the potential to be of any help either because a
local attacker could just set the same environment variables as the
webserver to fake a redirect. I can't use the #!/usr/bin/php-cgi option
because this is a FastCGI and not a CGI setup.
What can I do to prevent this sort of local attack against my
suexec/PHP/FastCGI environment (short of getting a VPS or installing my
own patched PHP at least)?
Thanks and Best Wishes,
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
