Quoting "Paul L. Allen" <[EMAIL PROTECTED]>:

> Tim Hasson writes:
> > I am developing a web based interface on it using php/mysql
> [...]
> > My worst fear is of a exploit like the recent SSL v2 vulnerability
> > where an unautheticated user, or an anonymous user, could just simply 
> > exploit the apache process, and use it as a step stone.
> You're worried about an obscure SSL vulnerability when you're using
> PHP?  Unless you're planning on a dedicated mail server with no user
> accounts having webspace, your setup will be wide open.  

I use safemode, but more importantly open_basedir option. php cannot 
read/execute files outside the vhost docroot (have a open_basedir restriction 
per vhost), and "User vhost1" in each vhost with suexec for cgi programs (I 
have not tested the cgi programs part). uniqueuser has no shell access. all 
files in vhosts root directory is chowned vhost1:nobody by the ftp server on 
upload, chmod is not allowed, chmod is not in the path in php, and ftp chroot. 
All ftp users are also virtual.

No remote user has any shell access.

> Without an
> add-giving the eqvuivalent behaviour of suexec, you need to make any
> directories and files that you need to modify readable and writeable by
> the httpd user.  So anybody with web space on the server can write some
> PHP to read and/or trash other people's mail.

mail and apache runs as completely different uids/gids.

the webserver runs as user nobody and has no access but to read the files.
This is because the ftp server chowns the the files on upload to:
user: vhostnum
group: nobody
mode: 750 (user: read/write/exec, group read/execute, world none)

The best is done so that the users cannot read any file except in their vhost 
root (using open_basedir), but definately cannot write because apache doesn't 
have write permissions, user cannot also chmod the files.

php cannot even exec(/bin/cat) because they are chrooted to their vhostroot/

all mail users are virtual

> Being worried about obscure attacks when you're using PHP is like
> worrying about somebody 100 yards away striking a match when your
> clothes are on fire.

You did not follow my point correctly.
1. I have read php security docs more than once, and I follow up with mailing 
list tricks on security (like cross site exploits etc.) and try to stay up 
with the most current fixes.

2. apache runs as UID/GID nobody.

3. each vhost has its unique username (no shell access) for suexec, if cgi is 
enabled for that vhost.

The SSL vulnerability I mentioned as just an example. And it's not even 
related to the hosted users. I was talking about something completely 
different which is a dedicated process or a different apache installation that 
I run as a different uid for specific administration tasks.

No one is allowed to upload or write their own scripts there, and those files 
are only readable by the user that the 2nd apache install runs as (and group 
wheel of course).

Anyways, you missed my whole point. It's my fault anyway, this is way off 
vpopmail list topics. My apologies..

> -- 
> Paul Allen
> Softflare Support


Tim Hasson

Reply via email to