[X-Unix] Shared hosting with apache and php, security concerns

Albert Lunde atlunde at panix.com
Thu Mar 18 05:25:43 PST 2004


I don't think the problem of allowing shared hosting of PHP users
is as much of a solved problem as you wish it were. PHP
has been so much about making things "easy" to do that
security has been underdeveloped.

I think allowing users of an Apache server to serve up
perl or PHP code that hasn't been independently security-
audited within an inch of its life, by very paranoid people,
is a big risk.

chroot and suexec are semi-independent options, you might
consider both, as well as making the global php and apache
security settings as paranoid as you can.

You can (in theory) chroot the entire directory containing
the Apache server while starting up Apache, then use suexec
to provide some isolation between users' scripts.

OpenBSD, which is designed for security, has been chroot-ing
httpd for some time now, so you may find more articles there.

FreeBSD, has a facility called "jail" which is a stronger
"chroot". But I don't think OSX has inherited it, despite
the fact that most of the Darwin environment above the
kernel derives from FreeBSD.

The general idea of chroot is the same across Unix/Linux
flavors. What is OS-specific and sometimes program-specific is
the recipe of libraries, files, and device nodes needed
inside a chroot directory to make software work in a
useful way.

There are ways a program can break out of or abuse a chroot
environment, some of those are OS-specific too.

As others have pointed out, the various files apache scripts
read don't need to be, strictly speaking, world-readable, just 
readable by the process that uses them.

I don't think it is a great idea to make them owned by the process
running the script. I prefer that scripts themselves be unwritable.
But with traditional Unix user/group/other permissions
you run out of degrees of freedom pretty fast. Suexec is one
security scheme that tries to live within that model.

On Solaris, Linux, and FeeBSD there are filesystem ACLs that give
more options, but I'm not sure if that can be made to apply
to OSX.

Some suggestions for further reading:
http://perl.apache.org/docs/offsite/other.html
http://www.bpfh.net/simes/computing/chroot-break.html
http://www.openbsd.org/faq/faq10.html#httpdchroot

google various combinations of apache,php,perl and chroot.

(A lot that applies to perl transfers to PHP too.)



More information about the X-Unix mailing list