[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice request for shared hosting and security issue

On 23.06.13 14:48, Oğuz Yarımtepe wrote:
I have a Debian Squeeze web server running PHP-FPM, fastcgi with apache2. I
used dotdeb sources to install php-fpm and fastcgi. There are many vhosts
defined on them, each has their own pool configuration and working without

My current problem is about the PhpSpy program. It is a PHP file that runs
dir, chdir, readdir commands and let the user traverse the file system and
read files. I couldn't figured it out a solution for it.

I used chroot option at the pool configuration which didn't worked. It
seems there is a but with Apache2 and Fastcgi usage. I enabled suexec also
which didn't helped.

I can try to disable opendir, chdir commands globally then some php files
under vhost directories will be broken.

What is the solution? Should i set chroot? If so how? Any working
combination will be great for Debian Squeeze.

I will be appreciated if there is an easier solution also.

I have tried to avoid something like this by using PHP compiled without
modules like posix,pcntl (maybe others?) and building special chroot that
only contained binaries of apache, php, used modules, and required
libraries.  It required small /dev (containing zero, null, urandom), small
/etc (containing stripped pasword, group and some others) and system with
/only a few libraries and directories.

It's doable but quite a pain to maintain.

other possibility is to use something similar to linux vservers with only
needed things built in.

Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Reply to: