Re: web server security

2021-06-10 Thread Stuart Henderson 
On 2021-06-10, Gustavo Rios  wrote:
> Hi folks!
>
> I am planning a web serve using openbsd as the os and using php. My
> question is: how to avoid any given user from implement an php script that
> will read some else file, since everything will run as the web server user
> and group ?
>
> thanks a lot.
>

The PHP scripts don't need to run as the same user and group. Use different
application pools in php-fpm.conf listening on different sockets, and have
the web server use the relevant socket for the website. You can even chroot
them separately if you think that will help.

e.g.

---
[global]
error_log = syslog
syslog.facility = daemon
log_level = notice

[user1]
user = user1
group = user1
listen = /var/www/run/php-fpm.user1.sock
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 30s
chroot = /var/www

[user2]
user = user2
group = user2
listen = /var/www/run/php-fpm.user2.sock
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 30s
chroot = /var/www
---

Quick warning to head off a possible problem you might run into in the
future though; you will need to make sure that the web server (not the
PHP interpreter) has read access to those files which _it_ needs (e.g.
static content). One way to do that is to add the www user to the
group for each user account (e.g. user1:*:1001:www, user2:*:1002:www,
in /etc/group). That works nicely for small setups but you will run
into a wall after a while because on OpenBSD a user account can only
be a member of up to 16 supplemental groups. (There are other ways
to handle this e.g. running multiple web server processes, but with
a bunch more complication).

Re: web server security

2021-06-10 Thread Michael Hekeler 
Am 10.06.21 01:16 schrieb Gustavo Rios:
> Hi folks!
> 
> I am planning a web serve using openbsd as the os and using php. My
> question is: how to avoid any given user from implement an php script that
> will read some else file, since everything will run as the web server user
> and group ?

If your requirements are really to run everything as the same user
then it's not possible to forbid this user from reading files
created by someone else that has same uid.
Same uid means "same person". This means your webserver expects person A
to be the owner of files created by person B.

If you want to separate ownership of files then you have to create
different users and restrict php from reading directories that it shouldn't.

Another advice for 'web server security' is to don't give untrusted
users shell access or any write access to your system so you won't have to deal
with someone "implementing a script that will read someone else files"... ;-)

web server security

2021-06-09 Thread Gustavo Rios 
Hi folks!

I am planning a web serve using openbsd as the os and using php. My
question is: how to avoid any given user from implement an php script that
will read some else file, since everything will run as the web server user
and group ?

thanks a lot.

-- 
The lion and the tiger may be more powerful, but the wolves do not perform
in the circus