|
|
|
|
Bookmark this on Delicious
Share on Facebook
 Slashdot It!
Digg Chapter 4. Installed as an Apache module
When PHP is used as an Apache module it inherits Apache's user
permissions (typically those of the "nobody" user). This has several
impacts on security and authorization. For example, if you are using
PHP to access a database, unless that database has built-in access
control, you will have to make the database accessible to the
"nobody" user. This means a malicious script could access and modify
the database, even without a username and password. It's entirely
possible that a web spider could stumble across a database
administrator's web page, and drop all of your databases. You can
protect against this with Apache authorization, or you can design
your own access model using LDAP, Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions. A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilities in some other way. Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals. There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files. Code Examples / Notes » security.apachetifkap
There is a safe way to support a lot of users in a secure way, without having to use CGI, in a way which is probebly faster than mod_php. Use FastCGI, with the SuExecWrapper set to your suid wrapper. It means every user wil get his own program-group, with processes which are being reused. If the numer of processes that is being started on startup is 0, then the processgroup for a user will be generated when needed. This means: The first page is slow, after that the Zend Engine caching kicks in. When the load on the virtualhost reduces, the processes wil die off, and extra processes for a user-process-group will only be started when (again) needed. Your apache will be a LOT! lichter, because it won't have to drag all the php-memory overhead with it. This means static content is faster, and the whole system uses less memory. The PHP itself also won't need to drag along the apache overhead. If for one reason or the other php craches, your apache will simple start some new php-processes. If you want to upgrade/patch php, you can simple create the new fastcgi binary, and after testing, you can simple update the system by copying it, and maybe doing a 'apachectl gracefull' In short : Sepparating distinct functions in different processes communicating useing IPC methodes can be very good for performance and security. The best example of this principle at work is Postfix, where every process runs chroot() under its own uid. http://wiki.openisis.org/i/view/Php/HowtoFastCgi daniel dot eckl
There is a better solution than starting every virtual host in a seperate instance, which is wasting ressources. You can set open_basedir dynamically for every virtual host you have, so every PHP script on a virtual host is jailed to its document root. Example: <VirtualHost www.example.com> ServerName www.example.com DocumentRoot /www-home/example.com [...] <Location /> php_admin_value open_basedir \ "/www-home/example.com/:/usr/lib/php/" </Location> </VirtualHost> If you set safe_mode on, then the script can only use binaries in given directories (make a special dir only with the binaries your customers may use). Now no user of a virtual host can read/write/modify the data of another user on your machine. Windseeker kibab
I'm running Windows version of Apache with php as module. System is Windows XP Service Pack 2 on NTFS filesystem. To avoid potential security problems, I've set Apache to run under NT AUTHORITY\Network Service account, and there is only one directory, named Content, with Full Access for this account. Other directories are either not accessible at all or with readonly permissions (like %systemroot%)... So, even if Apache will be broken, nothing would happen to entire system, because that account doesn't have admin privilegies :)
georgee
Additional CAUTION to anyone trying Pollux's solution: It's kind a good. Probably works right. I think I'll give it a try myself. BUT... its safe ONLY on the assumption that apache is 100% CLEAN. (codes and confs.) Any flaws on apache, almost ANYTHING could happen to ALL users -precisely, web users. (Because apache is a member of ALL -again, web user's- GID.) So, leeps's hint should be one of the important things. There is nothing close to perfect. What I wrote is just one thing you'll have to keep in mind. So, consider carefully BEFORE you try this solution. (Well, this applies to any other solutions though...) leeps
@pollux: additionally, tell your users to set their file-permissions to - r-- (group) for files - --x (group) for directories. this disables the webserver to browse user's directory. if you don't know the filename, you cannot open it, e.g. by running malicious php-code through one of the users scripts. |
