mailing list archives
Securing apache+php for virtual hosts - best practices (longer)
From: Honza Vlach <janus () volny cz>
Date: Thu, 11 Nov 2004 20:33:15 +0100
I'm responsible for running and administering apache web server that
serves dynamic content using php, and I'm wondering what are the best
practices of securing it.
Basically, I can't trust my users and even the scripts they write, so I
would like to limit damage that a successful break-in could do.
Users don't have shell and I use rssh for file management. Each user is
locked in own chroot jail and this jail is webroot for that virtualhost.
The problem is, that I don't know what kind of software they would like
to run (bbs board, photo gallery etc.), so safe_mode limiting as per user
is not applicable, because most users need file uploads, create
directories from scripts etc.
I still need to lock them down in their own webroot, so they can't access
each other files.
1. set in php open_basedir = their_webroot:/usr/lib/php (PEAR modules)
for each virtualhost using php_admin_value open_basedir directive in
2. I'm not showing them script errors and I'm logging them instead ( good
luck with debugging :) )
3. set enable_dl = Off
4. set allow_url_fopen = No
5. After spending couple of hours reading php manual I compiled this
disabled_functions list in php.ini:
shell_exec, exec, system, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open, proc_get_status, proc_nice,
proc_terminate, shell_exec, phpinfo, dl, popen, pclose, chown, disk_free_space,
disk_total_space, diskfreespace, fileinode, max_execution_time, set_time_limit(),highlight_file(), show_source()
Does this sound as reasonable setup, or am I smoking crack here? I would like to
achieve safe_mode-like security with as low impact on functionality as
possible. (Yeah, tell me how contradictory this is :o) )
What are your experiences? Did I miss something?
Thanks and have a nice day/night.
-----BEGIN GEEK CODE BLOCK-----
GIT/CS d- s: a-- C++++$ ULS++++$ P L+++ E--- W- N+ o? K? w-->--- O? M->+ V? PS PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+
D++ G+>+++ e h--- r++ y?
------END GEEK CODE BLOCK------
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments
- Securing apache+php for virtual hosts - best practices (longer) Honza Vlach (Nov 11)