|
Posted by Tim Traver on 09/26/63 11:37
Hi all,
ok, I have come up with an architecture to offer PHP to customers as a
CGI, and want to get some opinions to make sure I'm not missing any
glaring holes...
I've decided to use suPHP to fork off PHP CGI scripts as the user and
group. It seems to work pretty well, and I have tweaked suPHP (i.e.
hacked the source) to force a particular GID as the group that is
different than the web server group. I have also forced a chroot to a
jailed filesystem in which they have access to the php libraries just
like they would on a real system.
So here's the gist of it :
1) For arguments sake, lets say that Apache is running as user www and
group www.
2) Each user has their own user ID and all files in their directories
are group www, allowing apache to serve all of their web data.
3) When suPHP is invoked, it changes the script to user "u1234" and
group "www2", and jails the script to /jail
4) Because the user directories are shared across NFS, the users
structure (and all other users structures) are also mounted in the /jail
5) Because the users PHP script is running as user "u1234" and group
"www2", it has no access to any of the other users data.
6) All directories within a users space are in group "www" and have the
group sticky bit turned on, so that any files created will get created
with the "www" group and not the "www2" group. This will allow any files
the user creates in their own directories to be read by apache.
7) I have created an auto_prepend_file that sets the "session.save_path"
ini variable to a local directory within the users account so that
session files are not in a place that can be read by anyone else.
8) Safe mode is disabled to allow users to be able to use PHP scripts
that need safe mode to be turned off.
9) In the /jail area, all unnecessary binaries have been removed (things
like ifconfig, mount, and dev stuff) to make it more secure, but useful
binaries were left for scripts to use (things like ls, rm, etc...)
Does anyone see any glaring holes in this model ???
Thanks,
Tim.
Navigation:
[Reply to this message]
|