Quoting Paul L. Allen [EMAIL PROTECTED]:
Tim Hasson writes:
I am developing a web based interface on it using php/mysql
[...]
My worst fear is of a exploit like the recent SSL v2 vulnerability
where an unautheticated user, or an anonymous user, could just simply
exploit the apache process, and use it as a step stone.
You're worried about an obscure SSL vulnerability when you're using
PHP? Unless you're planning on a dedicated mail server with no user
accounts having webspace, your setup will be wide open.
I use safemode, but more importantly open_basedir option. php cannot
read/execute files outside the vhost docroot (have a open_basedir restriction
per vhost), and User vhost1 in each vhost with suexec for cgi programs (I
have not tested the cgi programs part). uniqueuser has no shell access. all
files in vhosts root directory is chowned vhost1:nobody by the ftp server on
upload, chmod is not allowed, chmod is not in the path in php, and ftp chroot.
All ftp users are also virtual.
No remote user has any shell access.
Without an
add-giving the eqvuivalent behaviour of suexec, you need to make any
directories and files that you need to modify readable and writeable by
the httpd user. So anybody with web space on the server can write some
PHP to read and/or trash other people's mail.
mail and apache runs as completely different uids/gids.
the webserver runs as user nobody and has no access but to read the files.
This is because the ftp server chowns the the files on upload to:
user: vhostnum
group: nobody
mode: 750 (user: read/write/exec, group read/execute, world none)
The best is done so that the users cannot read any file except in their vhost
root (using open_basedir), but definately cannot write because apache doesn't
have write permissions, user cannot also chmod the files.
php cannot even exec(/bin/cat) because they are chrooted to their vhostroot/
all mail users are virtual
Being worried about obscure attacks when you're using PHP is like
worrying about somebody 100 yards away striking a match when your
clothes are on fire.
You did not follow my point correctly.
1. I have read php security docs more than once, and I follow up with mailing
list tricks on security (like cross site exploits etc.) and try to stay up
with the most current fixes.
2. apache runs as UID/GID nobody.
3. each vhost has its unique username (no shell access) for suexec, if cgi is
enabled for that vhost.
The SSL vulnerability I mentioned as just an example. And it's not even
related to the hosted users. I was talking about something completely
different which is a dedicated process or a different apache installation that
I run as a different uid for specific administration tasks.
No one is allowed to upload or write their own scripts there, and those files
are only readable by the user that the 2nd apache install runs as (and group
wheel of course).
Anyways, you missed my whole point. It's my fault anyway, this is way off
vpopmail list topics. My apologies..
--
Paul Allen
Softflare Support
Respectfully,
Tim Hasson
