On Thu, Sep 28, 2006 at 10:55:30AM +0200, Aiko Barz wrote:
> Hi *,
>
> I use OpenBSD+Apache+Chroot for my webservices. The users can access
> their vhosts by using scponly, which is chrooted into /var/www as
> well.
> /htdocs/www.example.net belongs to theuser:www and has the
> permissions rwxr-x---.
>
> The issue: If my users start to install a php-Filebrowser, they are
> able to access the other Webdirectories and could read config.php,
> because they are doing it with the permissions of the webserver.
> Write access would be possible as well, since some parts need to have
> write access.
>
> I started to patch suExec to make it handle *.php and to make it
> chroot-ready, but I wasn't successful so far. suPHP seems to have
> issues with 1.3.29 and ordering new IP-addressese for having multible
> webserver intances seems to be difficult.
As Henning pointed out, PHP's open_basedir and friends can be useful,
although I would caution against believing they will actually work -
many problems have been discovered that would allow an attacker to
bypass open_basedir and uid/gid checks.
Notably, assuming one can put passwords and such in config.php is
probably not a good idea (Apache allows setting php_flags for this,
which can be made to be secure). It might be enough to keep people out
of each others' directories, though.
suExec + PHP is not feasible for many people, due to the high webserver
load incurred; suPHP may be less problematic, or not.
For now, I'm just running a dedicated server, so I've not yet
encountered this problem personally.
Joachim
