Re: [ubuntu-uk] PHP security
>> Please feel free to point out any errors etc. I might work this into a >> how to and publish it on the 'tinterweb (of course giving proper >> attribution to folk such as Tyler) as instructions on how to do this >> seem to be spread across quite a few sites. > > I'm glad you solved it, Chris! Congratulations. No attribution is needed, as I > did the same thing you did - Google and experiment until it worked. Today, we > call that "engineering". :) > > Regards, > Tyler Ha, I guess so! Thanks again, Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
On Tuesday 15 June 2010 21:04:38 Chris Rowson wrote: > Please feel free to point out any errors etc. I might work this into a > how to and publish it on the 'tinterweb (of course giving proper > attribution to folk such as Tyler) as instructions on how to do this > seem to be spread across quite a few sites. I'm glad you solved it, Chris! Congratulations. No attribution is needed, as I did the same thing you did - Google and experiment until it worked. Today, we call that "engineering". :) Regards, Tyler -- "In a time of universal deceit, telling the truth is a revolutionary act." -- George Orwell -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
>>> Here's the my current level of understanding! If anyone can fill in >>> the gaps (or correct me if I'm wrong) I'd be really grateful. >> >> (snipped for brevity) >> >> Your stated understanding is correct, as far as I know it. >> >>> What I'm still hazy on is this: >>> >>> cgi is slower than fastcgi because it (a bit like prefork MPM) has one >>> process per thread (whereas fastcgi can service multiple requests with >>> one process). >>> >>> However.. we want each virtual host to have its own waiting >>> fastcgi process (to separate out script execution to enhance security) >>> standing by to execute PHP scripts. How do we do that? >> >> That's easy. Again, webmin + virtualmin will set it up for each >> domain/account >> pretty easily. But here are the packages you need: >> >> apache2-mpm-worker libapache2-mod-fcgid php5-cgi > > > > I had a day off today so I spent it reading up on the topics in your > previous email. Well worth it because I understand a little better how > Apache and PHP work together. Sharing these practical examples has > helped fit the pieces of the jigsaw together. > > Again, sincere thanks Tyler for taking the time to share your knowledge. I managed to get a virtual server running apache2 with mpm-worker, fastcgi, suexec and php5 using info from Tyler on this mailing list and a little bit of good old Googling to fill in the blanks. I had to diverge from adding the php handler in apache2.conf however as it didn't seem to work in this configuration. Suexec prevented php scripts from executing as the php binary wasn't under the web server's document root. The wrapper script that's supposed to get around this only seemed to work when the php handler information was put into the virtual host's configuration file. Please feel free to point out any errors etc. I might work this into a how to and publish it on the 'tinterweb (of course giving proper attribution to folk such as Tyler) as instructions on how to do this seem to be spread across quite a few sites. Chris Instructions: Install the prerequisites: apt-get install apache2-mpm-worker apache2 apache2-suexec libapache2-mod-fcgid php5-cgi Enable suexec and fastcgi: a2enmod fcgid (fastcgi is probably already enabled) a2enmod suexec a2enmod rewrite (we'll also need mod rewrite to rewrite urls) And as we're using fastcgi, disable standard cgi a2dismod cgid And give Apache a restart /etc/init.d/apache2 restart Setting up accounts So first of all, we set up a user and group. We obviously don't want the user to have access to the shell (so we set it to /bin/false) and we also want his home directory to be in /var/www/domainname (which we set with the -d option and -m makes the directory if it doesn't exist). The following example creates a group called webuser, then creates a user called webuser adds it to the webuser group and creates the home directory of test.yourdomain.com within the /var/www area. If you want to double check that the account has been created properly after you have done it, try cat /etc/passwd groupadd webuser useradd -s /bin/false -d /var/www/test.yourdomain.com -m -g webuser webuser And then create the document root and chown it to the webuser group and user mkdir -p /var/www/test.yourdomain.com/public_html chown webuser:webuser /var/www/webuser/public_html Next create a cgi-bin for the site. This will contain a wrapper script which to call the php cgi binary which is located in /usr/bin/cgi-bin. We can't call it directly because suexec won't allow us to call anything outside of the document root. Neither will it allow symlinks. mkdir -p /var/www/test.yourdomain.com/cgi-bin chown webuser:webuser /var/www/test.yourdomain.com/cgi-bin Now we can create the wrapper script mentioned above within our newly created cgi-bin. Create a file within /var/www/test.yourdomain.com/cgi-bin called php5.cgi and populate it with the following data.The PHPRC line contains the directory where the php.ini file is located #!/bin/bash export PHPRC=/etc/php5/cgi umask 022 export SCRIPT_FILENAME=$PATH_TRANSLATED exec /usr/bin/php-cgi And make it executable chmod ug+x /var/www/test.yourdomain.com/cgi-bin/php5.cgi So now that we have a user setup, and a web directory for that user to use, we need to set up a site definition. This is done in /etc/apache2/sites-available/. Within create a file with the same name as your site (for instance test.yourdomain.com) , and populate it with the following data. The SuexecUserGroup command tells the server to run fastcgi scripts under the user and group listed. You want this to be the user and group you just created. To get the user id and group id numbers for suexec try the id command followed by your web-user's name (for instance id webuser). ServerName test.yourdomain.com DocumentRoot /var/www/test.yourdomain.com/public_html/ ScriptAlias /cgi-bin/ /var/www.test.yourdomain.com/cgi-bin/ A
Re: [ubuntu-uk] PHP security
On Sat, Jun 12, 2010 at 6:50 AM, Tyler J. Wagner wrote: > On Friday 11 June 2010 23:17:07 Chris Rowson wrote: >> >> That's easy. Again, webmin + virtualmin will set it up for each >> >> domain/account pretty easily. But here are the packages you need: >> >> Also, unfortunately there's no Lucid installer yet for virtualmin. I >> might have a look at what's involved in installing it from scratch. > > I don't use the scripted installer, just the deb. See here: > > http://www.webmin.com/vdownload.html > > http://download.webmin.com/download/virtualmin/webmin-virtual- > server_3.79.gpl_all.deb > > However, I haven't tested it on lucid, just hardy and jaunty. > > Tyler > It looks like virtualmin might be a bit of a PITA to get working if these forum posts are anything to go by http://www.virtualmin.com/node/13787 Still, I'll take a look and see what's what. Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
On Friday 11 June 2010 23:17:07 Chris Rowson wrote: > >> That's easy. Again, webmin + virtualmin will set it up for each > >> domain/account pretty easily. But here are the packages you need: > > Also, unfortunately there's no Lucid installer yet for virtualmin. I > might have a look at what's involved in installing it from scratch. I don't use the scripted installer, just the deb. See here: http://www.webmin.com/vdownload.html http://download.webmin.com/download/virtualmin/webmin-virtual- server_3.79.gpl_all.deb However, I haven't tested it on lucid, just hardy and jaunty. Tyler -- "Religion is a culture of faith; science is a culture of doubt." -- Richard Feynman -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
>> That's easy. Again, webmin + virtualmin will set it up for each >> domain/account >> pretty easily. But here are the packages you need: Also, unfortunately there's no Lucid installer yet for virtualmin. I might have a look at what's involved in installing it from scratch. Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
>> Here's the my current level of understanding! If anyone can fill in >> the gaps (or correct me if I'm wrong) I'd be really grateful. > > (snipped for brevity) > > Your stated understanding is correct, as far as I know it. > >> What I'm still hazy on is this: >> >> cgi is slower than fastcgi because it (a bit like prefork MPM) has one >> process per thread (whereas fastcgi can service multiple requests with >> one process). >> >> However.. we want each virtual host to have its own waiting >> fastcgi process (to separate out script execution to enhance security) >> standing by to execute PHP scripts. How do we do that? > > That's easy. Again, webmin + virtualmin will set it up for each domain/account > pretty easily. But here are the packages you need: > > apache2-mpm-worker libapache2-mod-fcgid php5-cgi I had a day off today so I spent it reading up on the topics in your previous email. Well worth it because I understand a little better how Apache and PHP work together. Sharing these practical examples has helped fit the pieces of the jigsaw together. Again, sincere thanks Tyler for taking the time to share your knowledge. Kind Regards, Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
On Friday 11 June 2010 17:47:08 Chris Rowson wrote:
> Here's the my current level of understanding! If anyone can fill in
> the gaps (or correct me if I'm wrong) I'd be really grateful.
(snipped for brevity)
Your stated understanding is correct, as far as I know it.
> What I'm still hazy on is this:
>
> cgi is slower than fastcgi because it (a bit like prefork MPM) has one
> process per thread (whereas fastcgi can service multiple requests with
> one process).
>
> However.. we want each virtual host to have its own waiting
> fastcgi process (to separate out script execution to enhance security)
> standing by to execute PHP scripts. How do we do that?
That's easy. Again, webmin + virtualmin will set it up for each domain/account
pretty easily. But here are the packages you need:
apache2-mpm-worker libapache2-mod-fcgid php5-cgi
You can also use libapache2-mod-fastcgi, with slightly different settings.
Enable the fcgid module. Then create a php handler in apache2.conf or a file in
conf.d/, with:
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI FollowSymlinks Indexes
Then in each site's definition (/etc/apache2/sites-available/domainname):
ScriptAlias /cgi-bin/ /home/domainname/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
SuexecUserGroup "#1005" "#1005"
Where 1005 is the user and groupid of this domain's user. Finally, create an
executable file /home/domainname/cgi-bin/php5.cgi containing:
#!/bin/bash
export PHPRC=$PWD/../etc/php5
umask 022
export SCRIPT_FILENAME=$PATH_TRANSLATED
exec /usr/bin/php-cgi
This allows each user to have their own /home/domainname/etc/php5/php.ini and
cgi-bin directory. This is the virtualmin way. You could do it another way,
but it works for me.
The attached samples are:
/etc/apache2/sites-available/domainname.conf
/etc/apache2/conf.d/local.conf
/home/domainname/cgi-bin/php5.cgi
I put this last file in my domain-user skel directory so new domain accounts
get it.
Regards,
Tyler
--
"I have never killed a man, but I have read many obituaries with great
pleasure."
-- Clarence Darrow
ServerName domainname.com
ServerAlias www.domainname.com
ServerAlias webmail.domainname.com
ServerAlias admin.domainname.com
Redirect / http://www.domainname.net/
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.domainname.com
RewriteRule ^(.*) http://domainname.com:2/ [R]
RewriteCond %{HTTP_HOST} =admin.domainname.com
RewriteRule ^(.*) https://domainname.com:1/ [R]
# 2008-08-04 tyler - basic settings
NameVirtualHost *:80
NameVirtualHost *:443
ServerTokens ProductOnly
ServerSignature Off
TraceEnable Off
# 2008-11-10 tyler - FastCGI + PHP settings
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI FollowSymlinks Indexes
php5.cgi
Description: application/shellscript
--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
>>> I'm migrating a web server with a few sites from a CentOS based VPS >>> with a DirectAdmin control panel to an Ubuntu Lucid server. I'm not >>> incredibly bothered about losing the control panel, but I wondered if >>> anyone had any advice on securing PHP scripts so that scripts owned by >>> separate 'site owners' don't interfere with one and other. >>> >>> I've looked at suPHP & ITK-MPM but as I've not used either before I'm >>> not sure of the pros and cons. >>> >>> Anyone out there running this kind of setup with any advice to offer? >> >> If you intend to run more than one site from this server, you might consider >> installing webmin and virtualmin. It'll make this easier. >> >> Install the "apache2-suexec" package if all web files are under /var/www and >> if >> you want PHP scripts to run as the user (site owner). If your files will be >> elsewhere, such as /home/domainname, install "apache2-suexec-custom" and >> configure it for the appropriate root. >> >> You'll need to run PHP as cgi or fastcgi. That means no Apache PHP module, >> and >> using the Apache worker or ITK MPM. >> >> Regards, >> Tyler >> > Thanks again Tyler, I'm going to have to start paying you consultancy! > > I'll do some reading up on this. I've not really had to worry about > random users hosing a server with a dodgy php script before so it's > great to have somewhere to start! > > Chris > Here's the my current level of understanding! If anyone can fill in the gaps (or correct me if I'm wrong) I'd be really grateful. I can implement PHP as a cgi module and add security by using either suxec or suphp. suexec uses fastcgi and suphp uses cgi. Both basically allow PHP scripts to execute under the permissions of each specific shared hosting user rather than the web server user. mod-php however executes PHP scripts under the web server user account (which isn't good because those scripts can do whatever the web server user can...) By default Apache (in Ubuntu anyway) uses the prefork MPM which uses multiple processes and can only handle 1 thread per process (where a thread handles a request). You can use a worker MPM instead which again uses multiple processes, but can handle multiple threads for each process which makes for better performance and more efficient use of memory. You can't however use mod-php with a worker MPM. mod-php must be executed by the less efficient but default prefork MPM, and installing mod-php will force Apache to use prefork. By utilising PHP via cgi, you separate out script processing from serving web pages. This is good, because if you use the alternative mod-php method, each thread created to handle a process is spawned with the full PHP execution environment loaded even when serving static content. Where fastcgi or cgi are used, when Apache needs a script processing, it sends it off to the cgi server which processes and sends the result back to Apache for Apache to return to the tinterweb! What I'm still hazy on is this: cgi is slower than fastcgi because it (a bit like prefork MPM) has one process per thread (whereas fastcgi can service multiple requests with one process). However.. we want each virtual host to have its own waiting fastcgi process (to separate out script execution to enhance security) standing by to execute PHP scripts. How do we do that? Thanks, Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
On Thursday 10 June 2010 23:19:28 Chris Rowson wrote: > I'm migrating a web server with a few sites from a CentOS based VPS > with a DirectAdmin control panel to an Ubuntu Lucid server. I'm not > incredibly bothered about losing the control panel, but I wondered if > anyone had any advice on securing PHP scripts so that scripts owned by > separate 'site owners' don't interfere with one and other. > > I've looked at suPHP & ITK-MPM but as I've not used either before I'm > not sure of the pros and cons. > > Anyone out there running this kind of setup with any advice to offer? If you intend to run more than one site from this server, you might consider installing webmin and virtualmin. It'll make this easier. Install the "apache2-suexec" package if all web files are under /var/www and if you want PHP scripts to run as the user (site owner). If your files will be elsewhere, such as /home/domainname, install "apache2-suexec-custom" and configure it for the appropriate root. You'll need to run PHP as cgi or fastcgi. That means no Apache PHP module, and using the Apache worker or ITK MPM. Regards, Tyler -- "One of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
[ubuntu-uk] PHP security
Hello server admins! I'm migrating a web server with a few sites from a CentOS based VPS with a DirectAdmin control panel to an Ubuntu Lucid server. I'm not incredibly bothered about losing the control panel, but I wondered if anyone had any advice on securing PHP scripts so that scripts owned by separate 'site owners' don't interfere with one and other. I've looked at suPHP & ITK-MPM but as I've not used either before I'm not sure of the pros and cons. Anyone out there running this kind of setup with any advice to offer? As always, thanks in advance :-) Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] PHP security
>> I'm migrating a web server with a few sites from a CentOS based VPS >> with a DirectAdmin control panel to an Ubuntu Lucid server. I'm not >> incredibly bothered about losing the control panel, but I wondered if >> anyone had any advice on securing PHP scripts so that scripts owned by >> separate 'site owners' don't interfere with one and other. >> >> I've looked at suPHP & ITK-MPM but as I've not used either before I'm >> not sure of the pros and cons. >> >> Anyone out there running this kind of setup with any advice to offer? > > If you intend to run more than one site from this server, you might consider > installing webmin and virtualmin. It'll make this easier. > > Install the "apache2-suexec" package if all web files are under /var/www and > if > you want PHP scripts to run as the user (site owner). If your files will be > elsewhere, such as /home/domainname, install "apache2-suexec-custom" and > configure it for the appropriate root. > > You'll need to run PHP as cgi or fastcgi. That means no Apache PHP module, and > using the Apache worker or ITK MPM. > > Regards, > Tyler > Thanks again Tyler, I'm going to have to start paying you consultancy! I'll do some reading up on this. I've not really had to worry about random users hosing a server with a dodgy php script before so it's great to have somewhere to start! Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
