[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041111193315.GA21683@maya.vse.cz>
From: janus at volny.cz (Honza Vlach)
Subject: Securing apache+php for virtual hosts - best practices (longer)
Hello,
I'm responsible for running and administering apache web server that
serves dynamic content using php, and I'm wondering what are the best
practices of securing it.
Basically, I can't trust my users and even the scripts they write, so I
would like to limit damage that a successful break-in could do.
Users don't have shell and I use rssh for file management. Each user is
locked in own chroot jail and this jail is webroot for that virtualhost.
The problem is, that I don't know what kind of software they would like
to run (bbs board, photo gallery etc.), so safe_mode limiting as per user
is not applicable, because most users need file uploads, create
directories from scripts etc.
I still need to lock them down in their own webroot, so they can't access
each other files.
I did:
1. set in php open_basedir = their_webroot:/usr/lib/php (PEAR modules)
for each virtualhost using php_admin_value open_basedir directive in
httpd.conf.
2. I'm not showing them script errors and I'm logging them instead ( good
luck with debugging :) )
3. set enable_dl = Off
4. set allow_url_fopen = No
5. After spending couple of hours reading php manual I compiled this
disabled_functions list in php.ini:
shell_exec, exec, system, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open, proc_get_status, proc_nice, proc_open,
proc_terminate, shell_exec, phpinfo, dl, popen, pclose, chown, disk_free_space,
disk_total_space, diskfreespace, fileinode, max_execution_time, set_time_limit(),highlight_file(), show_source()
Does this sound as reasonable setup, or am I smoking crack here? I would like to
achieve safe_mode-like security with as low impact on functionality as
possible. (Yeah, tell me how contradictory this is :o) )
What are your experiences? Did I miss something?
Thanks and have a nice day/night.
Honza Vlach
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/CS d- s: a-- C++++$ ULS++++$ P L+++ E--- W- N+ o? K? w-->--- O? M->+ V? PS PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+ D++ G+>+++ e h--- r++ y?
------END GEEK CODE BLOCK------
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041111/f97ef2a8/attachment.bin
Powered by blists - more mailing lists