LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-30-2010, 12:29 PM   #1
danielinirving
LQ Newbie
 
Registered: Jan 2010
Posts: 2

Rep: Reputation: 0
Question Proper security settings for virtual hosting of domains?


I have a CentOS 5 server in which I use Virtual Hosting and each domain has its own user/pass for login to upload files.

The path is /var/www/vhosts/[domain name]/httpdocs/

What im attempting is setting up the creation of the [domain name] folder from an administration backend under PHP, which I am developing. What Im worried about is if I allow PHP to run command line commands such as mkdir, then what is stopping anyone from doing the same from their php files on my server???

What is the best way to properly setup my server to allow automated creation of the domain structure within my folder system?

I hope I explained that well enough.. if not, please inquire for further answers.
 
Old 01-30-2010, 05:36 PM   #2
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
your task is simple. deny all PHP functions related to shell access and processes management. remove unwanted extensions from PHP that will serve websites. Run web-server(PHP) under minimal privileges: separate user account not having shell and not existing home directory, make sure nothing else runs as webserver user, and webserver cannot write any configs.
Use open_basedir in PHP for each host.

And last, if you are using PHP backend for that, you must be running that under root? Don't do that. In fact, you'd better create a simple shell-script that will write webserver configs, create directories and base files for hosting. If you are going to allow clients to manage their vhosts, that would be quite a different story which I most likely can't really tell you because never messed with it.

Googling also helps, my answer may not be interpreted as a full solution, I may miss some things. Actually, I only described what's needed, you'd have to work it out yourself, according to your webserver and system configuration.

If you'll have further questions, post them back here, I'm sure I can help you with some exact problem.

Last edited by Web31337; 01-30-2010 at 05:37 PM.
 
1 members found this post helpful.
Old 01-31-2010, 01:58 PM   #3
danielinirving
LQ Newbie
 
Registered: Jan 2010
Posts: 2

Original Poster
Rep: Reputation: 0
thanks, that is a good start. My webserver runs as apache:apache and not root so that knocks that out. I now have a starting point. If I run into any snags, ill be sure to come back and see if there is any more knowledge I can extract from here that cant be found on google.
 
Old 01-31-2010, 10:51 PM   #4
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
in that case, as I mentioned, edit apache user to disable shell and home directory. make sure home directory and client directories owned by other user than 'apache' and then you can start configuring PHP.
List of functions I recommend to disable with apache+mod_php: eval, exec, passthru, popen, proc_open, shell_exec, system
but it's not a complete list. You should write it globally in your php.ini's disable_functions directive.
Make sure you don't have posix functions enabled, if you have, better rebuild PHP with --disable-posix. These functions are potentially dangerouns because they reveal information about your system and users.
I personally never built PHP for apache, but i guess there is an option somewhere in config script, allowing to disable apache_* functions. They are also can be misused, so either try to remove them on building stage or deny them all in php.ini as those from a list above. These functions can be found here: http://ru.php.net/manual/en/ref.apache.php
It's recommended to disable sockets and fsockopen function.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hosting 2 domains - 1 ip F M J Linux - Server 4 05-15-2009 04:36 PM
do I really need virtual hosting if only hosting one site kustomjs Linux - Server 8 05-22-2008 12:17 PM
Apache: hosting multiple domains fturcic Linux - Software 1 02-15-2005 05:39 PM
Hosting multiple domains Imanerd Linux - Networking 2 01-04-2005 08:10 PM
Hosting my own domains on Linux with a router gomer1701ems Linux - Networking 5 02-16-2001 12:46 PM


All times are GMT -5. The time now is 11:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration