From owner-freebsd-isp@FreeBSD.ORG Tue Jul 29 10:58:38 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA16737B404 for ; Tue, 29 Jul 2003 10:58:38 -0700 (PDT) Received: from munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id A71A343F3F for ; Tue, 29 Jul 2003 10:58:35 -0700 (PDT) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.20) id 19hYjy-000HyL-HR for freebsd-isp@freebsd.org; Tue, 29 Jul 2003 18:58:26 +0100 Date: Tue, 29 Jul 2003 18:58:26 +0100 From: Jez Hancock To: FreeBSD ISP List Message-ID: <20030729175826.GB68275@users.munk.nu> Mail-Followup-To: FreeBSD ISP List References: <007d01c355f4$8e54a900$6b026b83@marco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <007d01c355f4$8e54a900$6b026b83@marco> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: Virtual Hosting Security X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 17:58:39 -0000 On Tue, Jul 29, 2003 at 06:12:04PM +0100, Marco Gon?alves wrote: > Dear ISP collegues, > the problem is that we offer php4 as a mod_php4 for Apache and even though we didnt had (yet) no problem in theory is ease to set up a php script using filesystem functions to run, list and view file contents of other users...cause the script is runing as www user and this user has permissions to enter/read all users www directory.... how can i fix this? must i use suexec? does it run properly? do i have to put php as cgi only? what is the tradeoff in performance? One way to stop users from snooping on other users whilst using mod_php4 is to use the apache PHP directive open_basedir in each VirtualHost stub to 'lock' user's PHP scripts into their own DocumentRoot: ... php_admin_value open_basedir /home/user/documentroot Unfortunately this still means that PHP scripts are executed by the apache user and so if PHP scripts send out emails and those emails bounce, the bounce is directed to your 'www' user instead of the user that owns the script. Similarly if php scripts create files, they will be owned by the apache user instead of the EUID of the owner of the script. Right now we're experimenting with various PHP CGI wrappers so that PHP scripts are run with the EUID of the owner of the script. suPHP is one such PHP wrapper and has just been ported in /usr/ports/www/suphp - however there is a fundamental flaw in the port that allows scripts owned by root to be executed regardless of the MIN UID check - not good of course. If you know anything about C feel free to check it out :) Other solutions are mod_suid, mod_become, sbox, suexec + php patch, ... any others? > Other thing (maybe this shoul be on other email...) we are developping our own control panel, and for system password we are using a PHP script that uses poppassd on port 106 that does all the work. The problem is that i have to run poppasswd from inetd, and this sucks specially cause its the only service that i need inetd... can i run it from tcpserver? How? Where can i found good info on this (the documentation on DBernstein site really sucks for a not so experienced sys admin like me)? Is it safe (poppassd i mean)? I know nothing about poppassd, but an alternative might be to check out the cyrus authentication suite perhaps - particularly the pwcheck daemon which doesn't need to be run via inetd. -- Jez http://www.munk.nu/