From owner-freebsd-security@FreeBSD.ORG Sun Feb 25 10:26:10 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5BFD316A403; Sun, 25 Feb 2007 10:26:10 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from home.quip.cz (grimm.quip.cz [213.220.192.218]) by mx1.freebsd.org (Postfix) with ESMTP id 1749413C49D; Sun, 25 Feb 2007 10:26:09 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.1.2] (qwork.quip.test [192.168.1.2]) by home.quip.cz (Postfix) with ESMTP id 163F962F7; Sun, 25 Feb 2007 11:06:42 +0100 (CET) Message-ID: <45E15FB1.90906@quip.cz> Date: Sun, 25 Feb 2007 11:06:41 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: idiotbg@gmail.com References: <20070221131421.1709206a.stas@FreeBSD.org> <20070221183154.GA14590@zone3000.net> <200702212218.19806.idiotbg@gmail.com> In-Reply-To: <200702212218.19806.idiotbg@gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Stanislav Sedov , Alexis Susset , freebsd-security@freebsd.org Subject: Re: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 10:26:10 -0000 Momchil Ivanov wrote: [...] >>> >>>>- Web users and executed web scripts shouldn't be able to read other >>>>users data >>>> Solution: >>>> run suPHP for php scripts as well as suEXEC for cgi-scripts >>>> implement ufs_acl so that the www (Web Server) user can access any >>>>user directory >>>> Add a ufs_acl to the Web users home directory which says: >>>> read-write-exec only from $owner and www >>>> Those rights should have priority on any traditional unix file >>>>system rights. >>> >>>I believe the suphp will be a amazingly slow solution as it executes >>>php executable on each request, IIRC. Thus, the speed will not be >>>faster then php in cgi. >> >>But is there any way to disbale related php functions? is there any well >>defined configuration examples for mod_php? > > > Is this what you are looking for: > http://www.php.net/manual/en/features.safe-mode.php > > > disable_functions string > > This directive allows you to disable certain functions for security reasons. > It takes on a comma-delimited list of function names. disable_functions is > not affected by Safe Mode. > > This directive must be set in php.ini For example, you cannot set this in > httpd.conf. > disable_classes string > > This directive allows you to disable certain classes for security reasons. It > takes on a comma-delimited list of class names. disable_classes is not > affected by Safe Mode. > > This directive must be set in php.ini For example, you cannot set this in > httpd.conf. > [...] There is PHP extension for better security called Suhosin. After installation of this extension you have better control of what you want to disable, or enable. http://www.hardened-php.net/suhosin/configuration.html Author of this extension was developer in PHP security team. Miroslav Lachman