Hi there,
About using php has a cgi, i've considered that but:
The www user is pretty locked down, much more than a regular user,
that can ssh, ftp, use mail etc...
using cgi will allow intruders to break into a student acount, were
they can do more
damage that whith the www user.
Also, its harder to audit and monitor 6000 possible user acount break
ins, than a www breakin.
we also don't use vhosts, we use user_dir and were trying to see if we
can use that with:
open_basedir
upload_tmp_dir
safe_mode_exec_dir
tell me more *dir variables that may be handy. :)
Best Regards,
On Wed, 22 Dec 2004 09:28:57 -0800, Michael Stewart <vericgar@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Miguel Filipe wrote:
> | Hi there,
> |
> | To put things simple, I'm a bit worried with php, here's why:
> |
> | I don't know SHIT about securing php instalations...
> | I've read about hardened-php, and I wondered if someone uses it, and
> | how reliable and intrusive they are ( false positives interest me
> | especially).
> | Also I would like to receive input from mod_security users...from what
> | I understood, if that's enabled, then in a php forum I cannot
> | write/quote SQL code in my posts... (sql injection prevention..)
> |
> | The problem is a big server, 6000 acounts with
> | apache+suexec+user_dir+php, on a solaris machine.
> | I plan to try changing config options and security settings so it
> | becomes a bit more hardened.
> |
> |
> | Any advices are welcome.
> |
> | ps: don't "advice" me to close the server, deny funcionality, etc,
> | these won't do... the server exists, has the acounts and I got to live
> | with it...
> |
>
> PHP can be difficult to secure in a multi-user environment. There's
> safe_mode, but that can be too restrictive at times and IIRC has some
> ways around it.
>
> If you were doing vhosts instead of user_dirs (i.e. username.example.com
> instead of example.com/~username) you could use open_basedir to keep
> them from opening or creating any file outside their $HOME. Though with
> 6000 users that could get tedious to maintain, though that could be
> scripted as well. If you do go this route, make sure to set a tmpdir
> that is under the open_basedir so that they can still make use of file
> uploads.
>
> You can also setup PHP in CGI mode, though that has some caveats as well
> (have to put the path to PHP as the first line of the script, though I
> think there's a way around this as well), but once you get it working,
> the php script can run under suexec and so as the user instead of as the
> webserver. Though there is a performance hit when you do it that way as
> well. But with 6000 users, I don't think you are worried to much about
> web-scripting performance.
>
> - --
> Michael Stewart vericgar@gentoo.org
> Gentoo Developer http://dev.gentoo.org/~vericgar
>
> GnuPG Key ID 0x08614788 available on http://pgp.mit.edu
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFBya7Y3v7BtghhR4gRAnQgAJ4uXfhgV0ON1KljZjxY1vRtIHYVhwCffSq0
> 54lxLOqbxcQgV1LocQpQguY=
> =vTyw
> -----END PGP SIGNATURE-----
>
--
Miguel Sousa Filipe
--
gentoo-security@gentoo.org mailing list
About using php has a cgi, i've considered that but:
The www user is pretty locked down, much more than a regular user,
that can ssh, ftp, use mail etc...
using cgi will allow intruders to break into a student acount, were
they can do more
damage that whith the www user.
Also, its harder to audit and monitor 6000 possible user acount break
ins, than a www breakin.
we also don't use vhosts, we use user_dir and were trying to see if we
can use that with:
open_basedir
upload_tmp_dir
safe_mode_exec_dir
tell me more *dir variables that may be handy. :)
Best Regards,
On Wed, 22 Dec 2004 09:28:57 -0800, Michael Stewart <vericgar@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Miguel Filipe wrote:
> | Hi there,
> |
> | To put things simple, I'm a bit worried with php, here's why:
> |
> | I don't know SHIT about securing php instalations...
> | I've read about hardened-php, and I wondered if someone uses it, and
> | how reliable and intrusive they are ( false positives interest me
> | especially).
> | Also I would like to receive input from mod_security users...from what
> | I understood, if that's enabled, then in a php forum I cannot
> | write/quote SQL code in my posts... (sql injection prevention..)
> |
> | The problem is a big server, 6000 acounts with
> | apache+suexec+user_dir+php, on a solaris machine.
> | I plan to try changing config options and security settings so it
> | becomes a bit more hardened.
> |
> |
> | Any advices are welcome.
> |
> | ps: don't "advice" me to close the server, deny funcionality, etc,
> | these won't do... the server exists, has the acounts and I got to live
> | with it...
> |
>
> PHP can be difficult to secure in a multi-user environment. There's
> safe_mode, but that can be too restrictive at times and IIRC has some
> ways around it.
>
> If you were doing vhosts instead of user_dirs (i.e. username.example.com
> instead of example.com/~username) you could use open_basedir to keep
> them from opening or creating any file outside their $HOME. Though with
> 6000 users that could get tedious to maintain, though that could be
> scripted as well. If you do go this route, make sure to set a tmpdir
> that is under the open_basedir so that they can still make use of file
> uploads.
>
> You can also setup PHP in CGI mode, though that has some caveats as well
> (have to put the path to PHP as the first line of the script, though I
> think there's a way around this as well), but once you get it working,
> the php script can run under suexec and so as the user instead of as the
> webserver. Though there is a performance hit when you do it that way as
> well. But with 6000 users, I don't think you are worried to much about
> web-scripting performance.
>
> - --
> Michael Stewart vericgar@gentoo.org
> Gentoo Developer http://dev.gentoo.org/~vericgar
>
> GnuPG Key ID 0x08614788 available on http://pgp.mit.edu
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFBya7Y3v7BtghhR4gRAnQgAJ4uXfhgV0ON1KljZjxY1vRtIHYVhwCffSq0
> 54lxLOqbxcQgV1LocQpQguY=
> =vTyw
> -----END PGP SIGNATURE-----
>
--
Miguel Sousa Filipe
--
gentoo-security@gentoo.org mailing list