LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Protecting against malicious PHP
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-14-2003, 09:32 AM   #1
paranoid
LQ Newbie
 
Registered: Mar 2003
Location: Never more than 30 seconds from a keyboard
Distribution: Debian by choice, RH for Work, *BSD on and off
Posts: 13

Rep: Reputation: 0
Question Protecting against malicious PHP

I'm trying to secure a webserver, and I'm flooded with information (google) that seems helpful, just not quite, there's always something that makes it not apply to me somehow, like markus1982@linuxquestions on 01-19-2003 12:33PM who's using Apache2...

I would have thought my situation totally run-of-the-mill:

Have RedHat
Have Apache 1.3.27
Have people I know but can't trust
Have to let them continue making websites with PHP and perl and even cgi (though I can cut down on the pure cgi's)

And the question is, what do I do to avoid these people messing with my machine and with each other? There is nothing today I didn't install the beast and I can't just turn things off for things will stop working...

Isn't this what every ISP out there has for letting their clients make web pages on the ISP's servers?

To compound my problems, I'm good at databases and mail servers and firewalls and scripts and such, but my Apache experience is limited to simple things for one trusted user.

So let's see where I am:

Every user has an UID (though I'd like to do away with that too), uploads with FTP chrooted to /www/userid/. The Apache Docroot of each user's website is at /www/userid/html/, with a ScriptAlias to /www/userid/cgi/. Apache isn't chrooted, would that help? Not against a malicious PHP or cgi going into other peoples4 directories.

PHP safe_mode won't do much good if I manage to do away with UIDs, and won't be possible if I don't, because files created by uploading through PHP will be owned by apache and therefore not accessible, isn't that right?

PHP open_basedir seems to be real gold, I'll use that for PHP, but it won't help for the Perl.

For the Perl, I could use fastcgi and suexec and run everything under the UID, but it won't stop stop people from reading world-readable files and writing in /tmp and browsing other www directories unless I somehow chroot the fastcgi process to the /www/userid/ directory, right? Wouldn't that be a pain since I'd have to have a copy of the perl interpreter and everything for every single user?

If I use suexec for perl, couldn't I also use it for PHP?

On another note, isn't there a warning mode I could use to detect when something would not work using open_basedir, so that I could at least evaluate the number of people impacted by setting that?

I'm probably a bit overwhelmed here. Somebody been through this before?
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malicious Script jspsandhu Linux - General 12 09-29-2005 05:05 PM
Protecting a Laptop? flamesrock Linux - Hardware 4 09-11-2005 10:08 PM
Malicious Files and Virus stored on RAM? Neo_Tux Linux - Security 1 02-01-2004 10:56 AM
Malicious C code protection gdboling Programming 4 09-02-2003 06:14 PM
(PHP) Stopping Malicious Form Input Obi Perrin Programming 0 04-27-2003 07:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:14 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration