Security Question

[zoom]

I've successfully recompiled PHP with some additional features enabled and have a question about security. I wrote a small php script to ensure that PHP was being restricted to a specfic webroot for any given site.

I created this simple php script

<? system($arg); ?>

Using something like "www.mydomain.com/test.php?arg=/bin/ls /usr/local/src" I can see the directory listing. However, when I run this script using the php binary that came with LiteSpeed I don't see the directory listing, why???

Restrained is enabled.

Here are the options I compiled PHP with using the LiteSpeed SAPI.

--enable-force-cgi-redirect --enable-pic --enable-gd-native-ttf --disable-rpath --enable-inline-optimization --enable-bcmath --enable-exif --enable-magic-quotes --enable-safe-mode --enable-sockets --enable-discard-path --enable-ftp --enable-track-vars --enable-trans-sid --enable-yp --enable-wddx --enable-calendar --with-db4 --with-curl --with-png-dir=/usr --with-freetype-dir=/usr --with-openssl=/usr/local/ssl --with-gd --with-ttf --with-gdbm --with-gettext --with-ncurses --with-gmp --with-iconv --with-png --with-xml --with-expat-dir=/usr --with-zlib --with-layout=GNU --without-oci8 --with-imap  --with-imap-ssl=/usr/local/ssl  --with-mysql=/usr  --with-kerberos --with-jpeg-dir=/usr --with-pear --enable-shmop --enable-track-vars --enable-sysvsem --enable-sysvshm --with-litespeed

 

[mistwang]

I think it is a php configuration issue, different php.ini is used for your binary and the pre-built binary.

The pre-built binary uses lsws/conf/php.ini.

Maybe you can try set "open_basedir" "safe_mode" configuration in your php.ini .

It is a pure PHP security issue, not directly related to LSWS configuration, and vhost restrains has no effect on this.

 

[zoom]

I guess this worries me somewhat. I thought that running php outside the webserver process would prevent this from happening. On my production server I run Apache SuExec, however because I run PHP using mod_php SuExec has no effect and therefore I must set things like safe_mode and open_basedir.

Are you telling me that even if I run PHP as a FastCGI, CGI or LiteSpeed SAPI that I can't restrict from running system commands that would allow them to view content that other virtual hosts might be running???

 

[mistwang]

With LiteSpeed, you can run CGI/FCGI/LSAPI in setUid mode (suEXEC), sentence them into their own jail (chroot), in addtion to PHP safe_mode and open_basedir.

To run all CGI/FCGI/LSAPI for one vhost in setUid mode, usually in the user id of owner of the document root directory, you just change "CGI Set UID Mode" to "Doc root Uid". And you have to define a LSAPI app and PHP script handler in each vhost, not to share the global script handler. As long as the permission of each user account has been set properly, they will not able to peek other's file.

Per virtual host chroot jail has the best security, but is too much for normal installation. LSWS can do that as well, but you have to setup the jail environment for each vhost. Too much trouble.

 

[zoom]

Thanks mistwang,
I was able to isolated each of the test virtual hosts using the method you indicated. I do have one question about the Address for the external app. Do I need to specify a different sock name for each virtual host?

 

[mistwang]

Yes, you can use $VH_NAME in the socket name like $VH_NAME_php.sock to archive this.
And LSAPI may ignore the socket configuration if all LSAPI process is managed by LSWS directly (without PHP_LSAPI_CHILREN environment variable).