Security tip

Discussion in 'Linux VPS/Dedicated - General' started by stormrider, Aug 13, 2007.

  1. stormrider

    stormrider New Member

    Hello,

    I just wanted to share this with you because i already had some serious problem ( wasn't hosting on knownhost yet ).

    If you run multiple sites from different users and at least one of them uses PHP it might be a good idea to compile PHP as CGI.

    Why?

    If you are running php as Apache module them your php scripts run as the apache's user. Usually, the apache's user can access all other user's files ( otherwise it wouldn't be able to run the scripts ).

    So all users can see the other user's files using php and you might know that is really common to find 777 permissions on files, indicating that files can be deleted too.

    There's a feature called php open basedir which should restrict the access of a user on the system but i found out that this do not work with system() ( or shell_exec and other functions like this ).

    Just try on your server, create a php file with the following content

    <?php
    system( 'ls -lh /home/' );
    ?>

    You will see all user's home and will be able to access it ( using shell commands of course ).

    I had the following problem in the past. Due to a bad designed script from a user anyone could run any shell command on the server ( using system(); ).

    One "cracker" did something like:

    Code:
    rm -rf /
    About 20 accounts were totally deleted from the server and almost all accounts lost some files.

    If you run as CGI + phpsuexec you'll find out that php scripts are runned as the user so they only see theirselves on the server ( even with system() ). If something like that inccident happen with this conf only the user that had the bad designed script will have files deleted.

    I hope this helps someone.
     
  2. Dan

    Dan Moderator

    First off do you really think it was very wise to post such details? Wow I don't.


    Second, suexec will do a lot to protect against this too.
     
  3. stormrider

    stormrider New Member

    Hello,

    Why it wouldn't be wise to post details?

    I tried this with suexec and i could list files with system();
     
  4. ppc

    ppc Moderator

    stormrider,

    Which CP do you use?

    I'm using Plesk and when I try to access that php file, I get a blank white page.
     
  5. Dan

    Dan Moderator

    Um, because you just told people how to exploit systems?

    And I'm sorry I should have said PHPsuexec.

    Josh,

    I think that means you have PHP compiled as a CGI as I got the same thing although I have it compiled as a CGI and also PHPsuexec running.
     
  6. ppc

    ppc Moderator

    I know that at least I never compiled PHP as CGI :D

    The only thing I could think of is that Knownhost complied PHP as CGI when I ordered the VPS or Plesk does it automatically(which would be a real shock ;))
     
  7. Dan

    Dan Moderator

    Ok, I dug a little deeper and found I do not have PHP compiled as CGI but I DO have PHPsuexec. This essentially does the same thing that compiling PHP as CGI does and when looking at a PHP info it will show "Server API CGI".

    Sorry about the mis-info above, all I can say is too many hosts over too many years LOL
     
  8. stormrider

    stormrider New Member

    I'm using Cpanel/WHM.

    Dan,

    My intention was to show an example of what can be done and not tell people how to exploit systems. Unfortunately, when we are talking about security stuff like that will appear.
     
  9. ppc

    ppc Moderator

    So does that mean magically plesk secures me? Is that even possible? (Plesk=secure :p)
     
  10. stormrider

    stormrider New Member

    Hello,

    Maybe this is the default configuration of Plesk?
     
  11. ppc

    ppc Moderator

    hmm....anyone know for sure?
     
  12. stormrider

    stormrider New Member

    Take a look at phpinfo() at search for Server API. Is it CGI?
     
  13. ppc

    ppc Moderator

    I checked phpinfo():

     
  14. Demio

    Demio New Member

    Just configure two directives in the php.ini file.

    the open_basedir one, I set mine to /tmp/:/usr/lib/php/:/var/www/

    and the disable_functions, I set mine to shell_exec,exec,system,dbmopen,suexec,escapeshellcmd,show_source,escapeshellarg

    This should make your PHP safer :)
     
  15. Leomania

    Leomania New Member

    Folks, I think all that may be going on is that permissions for /home are set such no users other than root can see the contents of /home. Change that php script to something that normal users do have access to such as /etc and you'll likely get some output.

    Indeed, user directory permissions on my system are 711 (rwx--x--x). This is probably a function of how DirectAdmin sets up accounts in general, but if it has no other unintended side-effects it seems a reasonable (even necessary) security measure in most shared hosting environments.
     

Share This Page