Info about apache22 + fastcgi + suexec + pureftp

Sigfrido

Sigfrido

Hi all,

I'm interested to enable fastcgi and suExec with apache22 to execute php scripts with limited permission on virtual hosts but I've never done it.

According to my informations, suExec requires a valid uid/gid to set correct permissions to run scripts hosted inside ftp user's document root.

Using PureFTP, there is only one uid/gid which contains all my virtual ftp users (I've used PureDB to store them).

I suppose that I've to specify, for each vhost inside my httpd-vhosts.conf, a user and group to run as (directive User and/or SuexecUserGroup) and I think I've to set PureFTP ones.

Is there any risk, with malicious php code stored inside one virtual ftp account, to steal informations inside other virtual ftp paths, owned by the same uid/gid (PureFTP ones)?

Is there any apache directive to prevent this kind of problem?

Thanks in advance
 
Code: 
# /usr/local/bin/php -v
PHP 5.2.12 with Suhosin-Patch 0.9.7 (cli) (built: Feb 12 2010 13:50:48)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
mod. :-)
 
Now how yo wanna SUEXEC it if its apache module? ;)
You can run php as fastcgi using www/spawn-fcgi with setting spawn_fcgi_username & spawn_fcgi_groupname. But you must run a copy with different spawn_fcgi_bindsocket for each uid you need run.
In apache you must use FastCgiExternalServer or somewhat like (i dunno how to set external fcgi in apache, used only in nginx)
 
You got the point, I've to reinstall php w/o Apache support and preinstalling a cgi spawner, like:

Code: 
# cd /usr/ports/www/mod_fcgid
# make install clean

Then php, enabling FastCGI:

Code: 
# cd /usr/ports/lang/php5
# make config
# make install clean

Then some httpd.conf changes (disabling php5module, enabling fcgi wrapper, ...).

Now I can use suExec but I've the same question explained in my first post. :)

Any hint?
 
Sigfrido said:
Is there any risk, with malicious php code stored inside one virtual ftp account, to steal informations inside other virtual ftp paths, owned by the same uid/gid (PureFTP ones)?
Click to expand...
Yes, that risk is quite high. Since all files are owned by the same uid/gid anyone that's able to login using FTP can change any file owned by that uid/gid.

Is there any apache directive to prevent this kind of problem?
Click to expand...
AFAIK no. The only way to solve this would be to change the 'virtual' FTP UIDs to 'real' ones.
 
Thanks Sir. :)

In fact, if I'm aiming to prevent interactions between ftp accounts (using virtual ftp users) via malicious php code, it's pretty useless to run php as cgi with suExec.

So, if I don't want to user real users to avoid this risk, is there any viable software configuration to do it?

If I plan to leave apache22+mod_php (w/o cgi & suExec/php), which steps can I do to secure php?

Editing disable_functions inside php.ini like

Code: 
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

is it enough?
 
I recommend to set open_basedir in each vhost so they cant go other's directory; for ftp you can setup chroot
 
already done, PureFTP has a chroot() emulation so there aren't problems about ftp users.

The problem is that, with virtual ftp users, I can't secure php to be executed by the effective owner of the script.
 
You must log in or register to reply here.
Back
Top