Re: Apache Virtual Hosts Chroot ?

To: debian-security@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: Apache Virtual Hosts Chroot ?
From: Paul Hampson <Paul.Hampson@anu.edu.au>
Date: Thu, 20 Mar 2003 01:43:29 +1100
Message-id: <20030319144329.GA24838@keitarou.bubblesworth.net>
Mail-followup-to: debian-security@lists.debian.org, debian-isp@lists.debian.org
In-reply-to: <3E787239.DF73A771@mesos.de>
References: <3626546DC152134382A0A029C29365C6013931@net-mail.int.netways.de> <20030319130321.GC24029@keitarou.bubblesworth.net> <3E787239.DF73A771@mesos.de>

On Wed, Mar 19, 2003 at 02:35:53PM +0100, Ralf Dreibrodt wrote:
> Paul Hampson wrote:
> > 
> > You can effectively chroot php files with:
> > php_admin_value open_basedir /directory/where/files/are
> > in the Apache virtual host config. Then:
> > a) php4 won't let files outside that directory be accessed;
... directly.

> No:
> - Hard links

I wouldn't expect hard-links to be uploadable... Besides, don't
they also work across chroots? Surely hardlinks work below the
directory tree level...

> - Commands executed with "system" can access files outside this
> directory
open_safe_mode_exec_dir or disable_functions 'system' and other such...
It depends on what you let your users upload and run.

> - you can also access files in /directory/where/files/are2 or is this
> bug already solved?

Sorry, good point.
php_admin_value open_basedir /directory/where/files/are/
(This is not a bug, it's a listed feature...)

> There are probably other possibilities to access files outside this
> directory.

True. None come to mind though... (Not that that's worth much. :-)

> open_basedir has nothing to do with chroot, they are two different
> things.

Fair point. I shouldn't have said chroot. However, it addresses the
_other_ suggestions in the original email, with a little bit more
thought.

Another suggestion I've come across is a User per Virtual Server:
http://luxik.cdi.cz/~devik/apache/

Mind you, this patch has deficiencies... Once a child process has
served one of these virtualhosts, it exits. And it uses seteuid,
so if someone can inject seteuid(0) into the server, they're root
again.

Apparently Apache2 has a module to do user per virtual host...

Hmm. :-) If it does group per virtual host, I might look at
upgrading...

-- 
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au

Of course Pacman didn't influence us as kids. If it did,
we'd be running around in darkened rooms, popping pills and
listening to repetitive music.
 -- Kristian Wilson, Nintendo, Inc, 1989

This email is licensed to the recipient for non-commercial
use, duplication and distribution.
-----------------------------------------------------------

Attachment: pgpoLUG9muOFv.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Apache Virtual Hosts Chroot ?
  - From: "Domainbox, Tim Abenath" <ta@domainbox.de>

References:
- Re: Apache Virtual Hosts Chroot ?
  - From: Paul Hampson <Paul.Hampson@anu.edu.au>
- Re: Apache Virtual Hosts Chroot ?
  - From: Ralf Dreibrodt <rd@mesos.de>

Prev by Date: Re: Apache Virtual Hosts Chroot ?
Next by Date: unsubscribe
Previous by thread: Re: Apache Virtual Hosts Chroot ?
Next by thread: Re: Apache Virtual Hosts Chroot ?
Index(es):
- Date
- Thread