Re: Deny Access To configuration file using php scripts

• Previous message: Mohammed Salih: "Re: Deny Access To configuration file using php scripts"
• In reply to: Mohammed Salih: "Re: Deny Access To configuration file using php scripts"
• Next in thread: John Georgelas: "Re: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 07 Mar 2005 19:05:27 +0200
To: focus-linux@securityfocus.com

Sorry for wrong threading, but I can't find the first mail.

At our servers, the problem of users reading someone's else files is
solved this way:

domain.com public_html directory is
/www/domain.com/www/root (the second www is the subdomain's name)
where /www/domain.com is user's home directory (I'm using mass hosting,
but there will be not much difference if it is /home/domain)

/www/domain.com have permissions 0710, which means owner can do whatever
he wants, and group can enter this directory. The owner of this
directory is domaincom - the system user of domain.com and the group is
"web" - the apache's group.

PHP scripts are running in safe_mode, other CGIs are running through
suexec. Clients who have problems with safe_mode can with simple
.htaccess switch to CGI version of PHP, which is also suexec-ed as their
system user.

With this setup there is no way to read other users' files, unless there
is known PHP safe_mode exploit. My advice is not to compile many third
party modules as curl in the mod_php, as they are known to have exploits
once in a while. You can compile as many modules as you like in CGI version.

Safe_mode have one significant disadvantage - you cannot write to
directories created by PHP. This was a big problem, because many free
scripts rely on ability to create directories (4images creates
directories for every gallery, InvisionPowerBoard and phpBB create
directories when you upload new skins/language packs and so on), to
solve this problem I have written a small patch, that addresses this
issue (without compromise in security):
http://www.titov.net/safemodepatch/

Just want to mention that disabling functions is not a good approach.
Once I've seen free hosting that was using this technique, I've tried
many function to open files or execute commands and I've got "function
disabled" message for all functions but "proc_open", which was
introduced in 4.3.0 and is relatively new and as this server was running
2.2.x Linux kernel my guess the setup was done quite a while ago. My
point is that you will need to look very close for new functions if you
choose this approach.

Using

SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"
and leave other users ability to read your files is not a good choise too. When you're using mod_php the chances are, that you'll have directories, that are 0777 and anybody will be able to write to it and execute phpinfo(). The real solution is to make sure a user cannot enter other users' directories.

Regards,
Anton Titov
Chief Technical Officer @ Host.bg

Mohammed Salih wrote:

>Does it show up if some one uses - phpinfo() or some thing which can
>print the environment variables.
>administrator@bluephyre.ca wrote:
>
>
>
>>I'm late joining this thread, so I apologize if someone has already
>>suggested this, but try putting this in the VirtualHost configuration
>>file:
>>
>>SetEnv DB_USER "myuser"
>>SetEnv DB_PASS "mypass"
>>
>>Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in
>>your code. This way the values are available to your virtual host only,
>>and presumably your httpd.conf file in only readable by root.
>>
>>CSH
>>
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Suramya Tomar [mailto:security@suramya.com]
>>>>Sent: Wednesday, 2 March 2005 9:59 AM
>>>>To: raT
>>>>Cc: focus-linux@securityfocus.com
>>>>Subject: Re: Deny Access To configuration file using php scripts
>>>>
>>>>Hi,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello i have a web server and i have a major problem
>>>>>some of my users are trying to find my pass for my mysql database.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>My first suggestion would be to warn these users that this is not
>>>>allowed and ban them from the system if they persist.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>the first thing they do is a
>>>>>system ('cat /var/www/path to config file');
>>>>>inside a php script
>>>>>
>>>>>
>>>>>
>>>>>
>>>>There are a couple of things you can try, First you can use apache
>>>>directives to deny access to the file. To do that add the
>>>>following text
>>>>to the httpd.conf file:
>>>>
>>>><Files ~ "\.inc$">
>>>> Order allow, deny
>>>> Deny from all
>>>></Files>
>>>>
>>>>
>>>>
>>>>
>>>While that may stop the web-server from server the files up, it would
>>>not stop a php script from accessing the files.
>>>
>>>I'm not sure that this can easily be solved. If the file needs to be
>>>readable by apache, then it can also be read by any other process
>>>running as the same user as apache, which would be every php script.
>>>
>>>If you are using virtual hosts, then you may be able to solve the
>>>problem using apaches per-user virtual-host configuration. This allows
>>>scripts to run as someone other than 'nobody' (or whoever apache is
>>>running as).
>>>
>>>
>>>
>>>
>>>
>>>>This would prevent all files with the .inc extension from
>>>>being viewed
>>>>via the web.
>>>>
>>>>The second thing I would suggest is to disable access to the system()
>>>>
>>>>
>>>>
>>>>
>>>They could also use functions like fopen(), require(), include(), etc to
>>>read the files.
>>>
>>>
>>>
>>>
>>>
>>>>function unless you really really need it. You can do that in the
>>>>php.ini file by using the disable_functions directive. It
>>>>allows you to
>>>>define a comma-delimited list of functions to be disabled within PHP.
>>>>(http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)
>>>>
>>>>Hope this helps.
>>>>
>>>>- Suramya
>>>>
>>>>--
>>>>----------------------------------------------------------
>>>>Some days you're the dog; some days you're the hydrant.
>>>>----------------------------------------------------------
>>>>Name : Suramya Tomar
>>>>Homepage URL: http://www.suramya.com
>>>>-------------------------------------------------
>>>>
>>>>************************************************************
>>>>Disclaimer:
>>>>Any errors in spelling, tact, or fact are transmission errors.
>>>>************************************************************
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>
>
>
>

• Previous message: Mohammed Salih: "Re: Deny Access To configuration file using php scripts"
• In reply to: Mohammed Salih: "Re: Deny Access To configuration file using php scripts"
• Next in thread: John Georgelas: "Re: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]