suExec security

[closet geek]

Hi,

I come from a suPHP background. We use suExec with LS configured directly via LS virtualhosts.

We can see that PHP scripts are running as the user, not as the LS server which is great. However there appears to be little benefit to this approach namely:

1) LS still executes PHP scripts if they are owned by a completely different user/group.

2) LS still executes PHP scripts if the directory they reside in is 777 *and* if the directory is not owned by the user/group.

Surely these are the that suExec is supposed to prevent? Have I missed something obvious?

Thanks.

 

[mistwang]

suEXEC is to make script run as the user who own the script, the rest is the responsibility of Linux/Unix security model.

With proper permission set, one user will not able to access files owned by another user, executeing PHP scripts owned by other users are not possible.

 

[closet geek]

suEXEC is to make script run as the user who own the script, the rest is the responsibility of Linux/Unix security model.

With proper permission set, one user will not able to access files owned by another user, executeing PHP scripts owned by other users are not possible.

So it's actually quite a big step back from a security POV compared to suPHP? It allows for 777 directories and in my testing it also allows for files that are not owned by the user to be executed (I've only tested files in the same directory, not in other document roots).

 

[mistwang]

We consider it is a minor security feature. It may help a little bit sometimes, but it is awkward sometimes. If the unix file system security has been set properly, it does not make suphp more secure than without it.

 

[QuantumNet]

Suexec is a false sense of security, there is better ways to secure your system without leaving vulnerable php scripts wide open to exploitation.


Suexec makes the php process run as the same user the php script is owned by...

Can we say a website defacers dream come true... exploit insecure version of forums, causing my php script to be uploaded to system since all directories are now writable thanks to suexec..... I now can modify and backdoor any file in the entire site great thanks all you admins who rely on suphp or suexec or phpsuexec we now have a web of insecure sites all over the place.

As mistwang pointed out everything is based on how you secure the file system with unix permissions, if you think you can flip a switch and boom be protected you are wrong.

Those extra securities offered by phpsuexec and suphp have no benefit due to my explanation above.

So lets say we locked down the unix file permissions so user A cannot access user B's files....

Okay well then there would be no difference between litespeeds suexec and phpsuxec as they now perform the same.

but this then raises the question of why use suexec at all? it obviously allows sites to be easily defaced, if we can prevent a user from accessing another users files without it... what is the need?

What about when you don't use suexec, users start chmod 777 so their scripts work?

easy to solve that one let's create a cron job that runs once and hour and drops a little .htaccess file in all world writable directories:

add any file extensions your server serves up

<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
    Order allow,deny
    Deny from all
</Files>

what does this do? well simple if an attacker is able to exploit a broken system and get his file uploaded into one of the writable directories then this script prevents then from actually accessing it.

combined with a few other technologies like php_exec_dir patch, mail header patch, disable_functions, suhosin, you can have a system that is more secure than the false sense of security that suexec or phpsuexec offer you