LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-04-2010, 01:13 PM   #1
pernest
LQ Newbie
 
Registered: Mar 2010
Posts: 10

Rep: Reputation: 0
Permissions, users and security with Apache, suPHP and vsftpd and on vps


I've just got my hands on a vps with centos 5.5 and have been having a lot of fun configuring it. I'll give a bullet pointed list of what I want to do, what I have and what restrictions I'm facing:
  • Will be hosting multiple small low trafic sites using Apache virtual hosts
  • Some sites will be Joomla!
  • Want to allow ftp access for Joomla! to virtual host webroot directories
  • Want to stop php from accessing system files
  • selinux cannot be installed with my hosting companies virtualisation

I want to isolate and secure each virtual host as much as possible and I was trying to figure out the best way to do this. So far the security measures I've been considering are:
  • Use PAM to create virtual users for vsftpd, so that ftp users are not system users and have no shell access.
  • Chroot vsftpd users to their Apache virtual host webroot
  • Use suPHP
  • PHP safe mode
  • PHP disable functions such as exec
  • Create multiple system users with very restricted rights, one for each Apache virtual host
  • Use php directive open_basedir

I know that these are not all compatible with one another, and some will be much more effective than others. I was hoping for some guidance as to the most sensible way to go about securing my VPS, whilst at the same time allowing the functionality I need to provide.

I know that this issue has been covered countless times on this forum and others, but I'm having trouble assimilating all this information into a best practice that I will implement.

Thanks

Last edited by pernest; 11-04-2010 at 01:18 PM.
 
Old 11-04-2010, 02:08 PM   #2
mazhar_theone
LQ Newbie
 
Registered: Mar 2008
Posts: 14

Rep: Reputation: 0
Quote:
Originally Posted by pernest View Post
I've just got my hands on a vps with centos 5.5 and have been having a lot of fun configuring it. I'll give a bullet pointed list of what I want to do, what I have and what restrictions I'm facing:
  • Will be hosting multiple small low trafic sites using Apache virtual hosts
  • Some sites will be Joomla!
  • Want to allow ftp access for Joomla! to virtual host webroot directories
  • Want to stop php from accessing system files
  • selinux cannot be installed with my hosting companies virtualisation

I want to isolate and secure each virtual host as much as possible and I was trying to figure out the best way to do this. So far the security measures I've been considering are:
  • Use PAM to create virtual users for vsftpd, so that ftp users are not system users and have no shell access.
  • Chroot vsftpd users to their Apache virtual host webroot
  • Use suPHP
  • PHP safe mode
  • PHP disable functions such as exec
  • Create multiple system users with very restricted rights, one for each Apache virtual host
  • Use php directive open_basedir

I know that these are not all compatible with one another, and some will be much more effective than others. I was hoping for some guidance as to the most sensible way to go about securing my VPS, whilst at the same time allowing the functionality I need to provide.

I know that this issue has been covered countless times on this forum and others, but I'm having trouble assimilating all this information into a best practice that I will implement.

Thanks
First of all, do not set following php settings unless there is no other work around to make your sites work.

display_errors = On
allow_url_fopen = On
allow_url_include = On
max_execution_time = (set this as low as you can).

Hide the webserver name and version in apache settings.

If you are using SuExec then make sure the user (for webserver / php) under which website or php will run do not have write access to any of your files inside or outside of your sites DocumentRoot. (except session path)

Few web application really need safe_mode Off to function properly. So try to make a work around if you setting this On.

Few most voulnarable php funtions which should be disabled that could be used against the site.

phpinfo - shows information about php settings.

shell_exec - execute command via shell and return the complete output as a string

exec - It executes an external command.

system - It executes an external program and display the result.

ftp_connect- Opens an FTP connection

ftp_login- Logs in to an FTP connection

ftp_exec- Requests execution of a command on the FTP server

ftp_put- Uploads a file to the FTP server

ftp_get- Downloads a file from the FTP server

Refer this URl for more
 
Old 11-04-2010, 02:33 PM   #3
pernest
LQ Newbie
 
Registered: Mar 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Hi thanks for the response, you've raised some points that I will certainly look into. However your answer seems to focus on securing php, rather than the server itself.

Quote:
Originally Posted by mazhar_theone View Post
Few web application really need safe_mode Off to function properly. So try to make a work around if you setting this On.
PHP safe mode is deprecated in the current release and is due for removal in php6. I've read that the reason for this is to stop people relying on safe mode as it give a false sense of security.

Quote:
Originally Posted by mazhar_theone View Post
Few most voulnarable php funtions which should be disabled that could be used against the site.
phpinfo - shows information about php settings.
shell_exec - execute command via shell and return the complete output as a string
exec - It executes an external command.
system - It executes an external program and display the result.
ftp_connect- Opens an FTP connection
ftp_login- Logs in to an FTP connection
ftp_exec- Requests execution of a command on the FTP server
ftp_put- Uploads a file to the FTP server
ftp_get- Downloads a file from the FTP server
Refer this URl for more
Unfortunately as the article I refer to above states, these lists are usually not exhaustive and if one function is missed, then there was no point in whole disabling process in the first place.

Of course I will seriously consider disabling dangerous functions that I don't need, but I want to tackle security on an OS/web server level, rather than script level.
 
Old 07-21-2011, 03:54 PM   #4
razero
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Rep: Reputation: 0
Hi all

first thanks, I didn't know about ftp_* php functions.

I am running vsftp on a LAMP
The server runs many websites (cms like Typo3) and for each instance I have to crate an FTP account:
so I added the user to the group www-data (ubuntu) and I changed the permissions as follows:
find /var/www/theinstance/ -type f -exec chmod 664 {} \;
find /var/www/theinstance/ -type d -exec chmod 775 {} \;
The problem is now that if a customer creates a file over Typo3 (or any CMS) the file's permissions will change to 644 for files and 755 for directories.
The ftp user is now not able to edit those files.
I changed the umask /etc/profiles to 002. I did solve the problem!

I am a little concerned about security.
Could I cause some security issue with the permission configuration I made?

Thanks for any suggestion.

Last edited by razero; 07-21-2011 at 04:06 PM.
 
Old 07-21-2011, 10:19 PM   #5
(=AA=)
LQ Newbie
 
Registered: Dec 2002
Location: UK
Distribution: Many
Posts: 24

Rep: Reputation: 3
You should run apache with suExec and FastCGI, that way permissions on files for each virtual host stay as the user they belong to. This also integrates well with FTP, but make sure FTP is set up securely.

http://linux-101.org/howto/apache-vi...cgi-and-suexec
 
1 members found this post helpful.
Old 07-22-2011, 08:16 AM   #6
razero
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Rep: Reputation: 0
Thank you (=AA=)

nice hint, FastCGI is up an running, you saved me!

FTP at the moment is not a big issue for me. I have just some IP's that I have to allow on FTP for now.
But it is secure anyway (at least I think so)...
 
  


Reply

Tags
apache, centos5, permissions, security, vsftp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
suphp working with vsftpd money123 Linux - Server 0 04-23-2009 03:42 AM
VSFTPD > Permissions Denied for Users Tommis Linux - Server 1 09-13-2007 03:38 PM
vsftpd, web uploads, vsftpd virtual users, apache virtual hosts, home directories jerryasher Linux - Software 7 02-18-2007 06:29 AM
VSFTPD, directrories permissions for virtual users. mussi Linux - Software 0 09-12-2005 03:59 AM
info about vsftpd, apache and xinetd, setting up a webserver with users and passwords Grifter Linux - Newbie 7 07-13-2005 10:40 PM


All times are GMT -5. The time now is 12:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration