securing PHP (again...)
what can we discuss about safemode, open_basedir and disabling functions?
that will be a long post... i'll start with facts and targets...
fact: php applications will run as user 'nobody'
target: our main target is to secure it from not being able to do anything that a perl script can't do (even if we restrict it even more, but must be something suitable for users)
in target, we include:
- not be able to read other users dir
- one that i find most important: not being able to use SUEXEC to "log" as ANOTHER user and do ANYTHING this user can do
if you get this script sprintserve says here: http://www.webhostingtalk.com/showth...hreadid=275940 you'll notice that if you're not using restrictions, you will be allowed to execute commands as any user!
ok... so let's start with other facts (i'll assume all this methods do exactly what they say they do and doesn't have security problems):
phpsuexec
is a very good solution IMO, but as I already told, that's not a good option... my server load went from 0.4 to 7.0 after I started using PHP as CGI and not apache module
php_basedir
prevents users from opening files outside of their home directory with php (from WHM help)
i don't know exactly how php_basedir does that... maybe limiting functions like "open" (anyone knows?), but it DOES NOT limit, for example:
<? passthru("ls /home/other_user/www/"); ?>
disable functions
IF (i don't know) php_basedir does it job correctly, preventing any php-build-in function to read/access things outside certain directory, all we'd need to do now to have a secure php was to secure php-exec-functions (PS: ALL of them... it won't be secure if you disable all except one)
discussion: php_basedir + exec functions disabled would probably be a good combination and would really restrict users from reading other users directory and from using SUEXEC to change it username
the problem: disabling ALL exec functions will cause some scripts to stop working
safemode
since it does everything that disable_functions + php_basedir does (but it limits based on user of the file, and not dir AFAIK), the discussion and problem above applies here too.
real security
i have an idea for what I call real security:
php with php_basedir AND suexec for exec functions
i don't know if it's possible (nor how to do that), but that would probably be a real solution.
php could still be runned as apache module, but if a php script has any "exec" call, php should use the owner of the .php file (with some checks like "it can't be root") to execute this call
does anyone knows some patch that does that? or if it's really possible/suitable to do that?
i'm tired of writing now and you probably tired of reading
i'll add more comments as you comment on that too
i hope we can lead to a nice way to secure php, without breaking many applications (i'm really not happy with disabling all exec functions)
