Re: advice request for shared hosting and security issue

To: "debian-isp@lists.debian.org" <debian-isp@lists.debian.org>
Subject: Re: advice request for shared hosting and security issue
From: Darryl Ware <darryl.ware@gmail.com>
Date: Mon, 24 Jun 2013 07:37:24 +1000
Message-id: <-7365347615266111194@unknownmsgid>
In-reply-to: <12847189.12184.1371990724007.JavaMail.mobile-sync@iepx8>
References: <[🔎] CAKtWOTRPSoKEM3YTGqLFjkyW68rWLwsv5Ri0KmVLLiGLix0BMQ@mail.gmail.com> <12847189.12184.1371990724007.JavaMail.mobile-sync@iepx8>

Would apparmor be of any use in this instance?

On 23/06/2013, at 10:24 PM, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:

> On 23.06.13 14:48, Oğuz Yarımtepe wrote:
>> I have a Debian Squeeze web server running PHP-FPM, fastcgi with apache2. I
>> used dotdeb sources to install php-fpm and fastcgi. There are many vhosts
>> defined on them, each has their own pool configuration and working without
>> problems.
>>
>> My current problem is about the PhpSpy program. It is a PHP file that runs
>> dir, chdir, readdir commands and let the user traverse the file system and
>> read files. I couldn't figured it out a solution for it.
>>
>> I used chroot option at the pool configuration which didn't worked. It
>> seems there is a but with Apache2 and Fastcgi usage. I enabled suexec also
>> which didn't helped.
>>
>> I can try to disable opendir, chdir commands globally then some php files
>> under vhost directories will be broken.
>>
>> What is the solution? Should i set chroot? If so how? Any working
>> combination will be great for Debian Squeeze.
>>
>> I will be appreciated if there is an easier solution also.
>
>
> I have tried to avoid something like this by using PHP compiled without
> modules like posix,pcntl (maybe others?) and building special chroot that
> only contained binaries of apache, php, used modules, and required
> libraries.  It required small /dev (containing zero, null, urandom), small
> /etc (containing stripped pasword, group and some others) and system with
> /only a few libraries and directories.
>
> It's doable but quite a pain to maintain.
>
> other possibility is to use something similar to linux vservers with only
> needed things built in.
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> He who laughs last thinks slowest.
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20130623121439.GA20385@fantomas.sk">http://lists.debian.org/[🔎] 20130623121439.GA20385@fantomas.sk
>

Reply to:

Follow-Ups:
- Re: advice request for shared hosting and security issue
  - From: Oğuz Yarımtepe <oguzyarimtepe@gmail.com>
- Re: advice request for shared hosting and security issue
  - From: Marek Podmaka <marki@marki-online.net>

References:
- advice request for shared hosting and security issue
  - From: Oğuz Yarımtepe <oguzyarimtepe@gmail.com>

Prev by Date: Re: advice request for shared hosting and security issue
Next by Date: Re: advice request for shared hosting and security issue
Previous by thread: Re: advice request for shared hosting and security issue
Next by thread: Re: advice request for shared hosting and security issue
Index(es):
- Date
- Thread