Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Securing apache+php for virtual hosts - best practices (longer)
From: Honza Vlach <janus () volny cz>
Date: Thu, 11 Nov 2004 20:33:15 +0100

I'm responsible for running and administering apache web server that
serves dynamic content using php, and I'm wondering what are the best
practices of securing it.

Basically, I can't trust my users and even the scripts they write, so I
would like to limit damage that a successful break-in could do.

Users don't have shell and I use rssh for file management. Each user is
locked in own chroot jail and this jail is webroot for that virtualhost.
The problem is, that I don't know what kind of software they would like
to run (bbs board, photo gallery etc.), so safe_mode limiting as per user
is not applicable, because most users need file uploads, create
directories from scripts etc.
I still need to lock them down in their own webroot, so they can't access
each other files. 

I did:
1. set in php open_basedir = their_webroot:/usr/lib/php (PEAR modules)
for each virtualhost using php_admin_value open_basedir directive in
2. I'm not showing them script errors and I'm logging them instead ( good
luck with debugging :) ) 
3. set enable_dl = Off
4. set allow_url_fopen = No
5. After spending couple of hours reading php manual I compiled this
disabled_functions list in php.ini:
shell_exec, exec, system, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open, proc_get_status, proc_nice, 
proc_terminate, shell_exec, phpinfo, dl, popen, pclose, chown, disk_free_space,
disk_total_space, diskfreespace, fileinode, max_execution_time, set_time_limit(),highlight_file(), show_source()

Does this sound as reasonable setup, or am I smoking crack here? I would like to
achieve safe_mode-like security with as low impact on functionality as
possible. (Yeah, tell me how contradictory this is :o) ) 

What are your experiences? Did I miss something?
Thanks and have a nice day/night.

Honza Vlach

Version: 3.12
GIT/CS d- s: a-- C++++$ ULS++++$ P L+++ E--- W- N+ o? K? w-->--- O? M->+ V? PS PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+ 
D++ G+>+++ e h--- r++ y?
()  ascii ribbon campaign - against html mail 
/\                        - against microsoft attachments

Attachment: _bin

  By Date           By Thread  

Current thread:
  • Securing apache+php for virtual hosts - best practices (longer) Honza Vlach (Nov 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]