Re: advice request for shared hosting and security issue
On 06/23/2013 07:48 PM, Oğuz Yarımtepe wrote:
> I have a Debian Squeeze web server running PHP-FPM, fastcgi with
> apache2. I used dotdeb sources to install
Outch! Don't do that. dotdeb has, and I believe still is, a source of
troubles, with 2nd grade quality packages. You will have issues
upgrading. You will have bugs.
> My current problem is about the PhpSpy program. It is a PHP file that
> runs dir, chdir, readdir commands and let the user traverse the file
> system and read files. I couldn't figured it out a solution for it.
> I used chroot option at the pool configuration which didn't worked. It
> seems there is a but with Apache2 and Fastcgi usage. I enabled suexec
> also which didn't helped.
> I can try to disable opendir, chdir commands globally then some php
> files under vhost directories will be broken.
> What is the solution? Should i set chroot? If so how? Any working
> combination will be great for Debian Squeeze.
I don't use php-fpm here. I use SBOX (which I both maintain as upstream
and as a Debian package). This is a cgi-bin wrapper. I use aufs to
provide a template for every site, so that I don't have too much
duplication. SBOX is in use using AddHandler & Action directive of
Apache. As I don't want to have my users write these in a .htaccess (and
therefore, bypass my security and the chroot), I have backported the
AllowOverrideList option of Apache 2.4 into Apache 2.2.
All this works great so far. Every site is chrooted, and can benefits
from having a full system environment which I maintain using apt, though
each site can also customize the php.ini and so on. The only problem I
have is that AUFS isn't very stable, and sometimes crashes the whole
system (maybe about once a month or so...). Let's hope we have soon a
better union filesystem to work with.
If you need more info on how I do all of the above (like where to get
the packages and how to do the setup), let me know.