[PHP] PHP/Apache security question : bugtraq, suExec etc
Hi, I follow bugtraq and recently there was a thread regarding safe_mode of php and how to break it. The thread was killed without a conclusion to where this is really a new threat or the same problem (scripts executed with sage uid/gid of the web server). So, I was wondering if the php-dev team has already reached a veredict. I recently saw a post about the use of suExec and I'd like to know the performance impact and is there anything php could do to make such thing easier (perhaps this is more an apache issue). Up to now all my virtual domains have used safe_mode, openbase_dir and document_root settings limiting the access to files/scripts located under the virtual directory and no access to override the settings with a .htaccess. Is this secure enough ? My major concern is the hability to upload a php code (using ftp), some c files of a local exploit, compile it and execute as apache... thanks. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP/Apache security question
of course that's possible... it's not default, but it's very possible i think it's an apache module called suEXEC that will run the script with the script owner's name.group, not apache.apache -Original Message- From: [EMAIL PROTECTED] Subject: [PHP] PHP/Apache security question Is there anything anyone can do about this? of course it would be ideal if php would inherit uid/gid from the script file instead of the server ownership but I think there is no way to accomplish this, so this is why I am clueless. Oh, one more thingie: I have this CGI script here: #!/usr/bin/php htmlhead. etc etc I try to access it and the security warning! page appears. The documentation sais that it's ok to use such CGI scripts, and warns the user about the security threat of using the php binary as a CGI. Obviously I am not using the php binary as a CGI, rather I am creating a CGI script that's interpreted using the php binary, so what seems to be the problem here? Thx a lot, georgeb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP/Apache security question
Does anyone know if SuExec plays friendly with PHP? From my recollection, when using suexec, it only alters the current UID/GID for scripts executed by httpd. Does PHP get treated the same way as would say a perl cgi script? I've looked a little at how phpwebhosting.com does it, and they set each user to their own unique primary group, and are (i believe) using suexec in their apache config setting each VirtualHost with their respective user and group... But does that really 'secure' everyone's code from other equally privileged users? :-? -- Aaron Bennett [EMAIL PROTECTED] -Original Message- From: ..s.c.o.t.t.. [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 4:33 PM To: Php-General Subject: RE: [PHP] PHP/Apache security question of course that's possible... it's not default, but it's very possible i think it's an apache module called suEXEC that will run the script with the script owner's name.group, not apache.apache -Original Message- From: [EMAIL PROTECTED] Subject: [PHP] PHP/Apache security question Is there anything anyone can do about this? of course it would be ideal if php would inherit uid/gid from the script file instead of the server ownership but I think there is no way to accomplish this, so this is why I am clueless. Oh, one more thingie: I have this CGI script here: #!/usr/bin/php htmlhead. etc etc I try to access it and the security warning! page appears. The documentation sais that it's ok to use such CGI scripts, and warns the user about the security threat of using the php binary as a CGI. Obviously I am not using the php binary as a CGI, rather I am creating a CGI script that's interpreted using the php binary, so what seems to be the problem here? Thx a lot, georgeb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP/Apache security question
if the script is running as user scott group scott, then it can only alter/read/execute files that the user scott has access to... nothing else. of course, if you have user scott, group users, and have user tom in group users, then any files that have the group read/write/exec permissions set could possibly be vulnerable to other user's scripts. -Original Message- From: Aaron Bennett [mailto:[EMAIL PROTECTED]] Subject: RE: [PHP] PHP/Apache security question Does anyone know if SuExec plays friendly with PHP? From my recollection, when using suexec, it only alters the current UID/GID for scripts executed by httpd. Does PHP get treated the same way as would say a perl cgi script? I've looked a little at how phpwebhosting.com does it, and they set each user to their own unique primary group, and are (i believe) using suexec in their apache config setting each VirtualHost with their respective user and group... But does that really 'secure' everyone's code from other equally privileged users? :-? -- Aaron Bennett [EMAIL PROTECTED] -Original Message- From: ..s.c.o.t.t.. [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 4:33 PM To: Php-General Subject: RE: [PHP] PHP/Apache security question of course that's possible... it's not default, but it's very possible i think it's an apache module called suEXEC that will run the script with the script owner's name.group, not apache.apache -Original Message- From: [EMAIL PROTECTED] Subject: [PHP] PHP/Apache security question Is there anything anyone can do about this? of course it would be ideal if php would inherit uid/gid from the script file instead of the server ownership but I think there is no way to accomplish this, so this is why I am clueless. Oh, one more thingie: I have this CGI script here: #!/usr/bin/php htmlhead. etc etc I try to access it and the security warning! page appears. The documentation sais that it's ok to use such CGI scripts, and warns the user about the security threat of using the php binary as a CGI. Obviously I am not using the php binary as a CGI, rather I am creating a CGI script that's interpreted using the php binary, so what seems to be the problem here? Thx a lot, georgeb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP/Apache security question
Hello list, I have a security problem to solve with my apache setup and I am clueless at this moment... My web server holds multiple domains and uses name-based virtual servers to direct requests to different portions of the html tree for different domain names (we presume only one IP is available). There are just a few people storing content on the webserver to be served to the public and everyone has access to php scripts. The server runs as apache.apache and therefore all the files and dirs in the html tree are owned by group apache so that the server can see them yet people cannot see anything but their own files. It has recently crossed my mind that anyone can write a very simple php script to peek at everything that apache can see because any script is run with the uid/gid inhereted from the webserver. Now, the html tree does not contain any security-sensitive information, but I am sure that the clients would not be happy to know that any other of my clients can see their scripts and hidden information, like .htaccess-protected files or db files generated by php or cgi scripts. Is there anything anyone can do about this? of course it would be ideal if php would inherit uid/gid from the script file instead of the server ownership but I think there is no way to accomplish this, so this is why I am clueless. Oh, one more thingie: I have this CGI script here: #!/usr/bin/php htmlhead. etc etc I try to access it and the security warning! page appears. The documentation sais that it's ok to use such CGI scripts, and warns the user about the security threat of using the php binary as a CGI. Obviously I am not using the php binary as a CGI, rather I am creating a CGI script that's interpreted using the php binary, so what seems to be the problem here? Thx a lot, georgeb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]