[X-Unix] Shared hosting with apache and php, security concerns

Eugene Lee list-themacintoshguy at fsck.net
Thu Mar 18 01:33:23 PST 2004 

On Wed, Mar 17, 2004 at 10:26:55PM -0800, Scott Haneda wrote:
: 
: Currently I am hosting a few sites on a OS X Client box, running apache and
: php, I will not be moving to apache 2 anytime soon.  From what I can gather,
: any file that needs to be served on the web needs to be world readable for
: apache to be able to send the page out to the visitor.

Incorrect.  Files (and directories) to be served by Apache need to be
readable by the Apache process.  For example, if you configure Apache to
run as user "www" and group "www", then served content must be readable
by either the user "www" or anyone within the group "www".

In a shared web server, a typical method is to make all users' web
directories group-readable by Apache, but also disallow all world privs.
Doing this keeps users from accessing each other's web content.

: World readable files
: are of course, readable by anyone.  This is fine in the case of html files,
: but when you get to server parsed files, such as those in php, there can be
: sensitive data in them.

Depends.  See below.

: I guess the first thing is I need to hope that php does not ever die, if it
: were, raw code would be sent out to the browser, and in that raw code could
: be for example, connection data to a database.  I can also instruct users to
: secure the include files elsewhere, so they will not see those sensitive
: files in the event php were to fail.

Actually, the only way for PHP to die is for the mod_php to crash in an
unexpected way or for Apache to crash.  Either way, the chances of the
PHP source code getting revealed is almost impossible (if the latter, it
*is* impossible).

: The trouble I am having is I am able to read outside the current directly
: and traverse the entire files system with php using its abilities to read
: files.  I can not read files that apache does not have permission to read,
: but those that it does, I can.  For example, if I were to create a php file
: reading tool and tell it to go up one directory from my directory that holds
: all my web files, I would be in my root folder, up one more, and I would see
: a list of directories that were named the domain names of many other sites I
: am serving, if I were to jump into one of those sites and look around, I
: could locate say, some file called conf.incl.php and in that I would see
: some connection data to a database, from there, I could delete data from the
: database.

If you set the User/Group properly as described above, then Apache will
not have access to these parent directories.

: How do you prevent this?  I am sure since there are so many
: cheapPHPhosting.com type sites out there, this is either a problem they all
: have, or one they have figured out how to fix.

You can also try setting the PHP variable "open_basedir" on a per-vhost
basis.  A more secure solution is to set up a proper chroot'ed world per
user, but that's a bit of a pain.

: What tradeoffs in inconvenience will I have to live with to offer shared
: hosting in a secure way?

This is a PHP issue, not an OS X issue.  You might try looking at the
official PHP docs in the security section, especially the user notes.

	http://www.php.net/manual/en/security.index.php


-- 
Eugene Lee
http://www.coxar.pwp.blueyonder.co.uk/

More information about the X-Unix mailing list