Suggestion: distinguish between script owner and process owner

Hi,

The attached patch is some kind of "proof of concept" to solve a security 
related problem I have with suPHP.

Problem: Run script with file/directory owner threatens the user's files.

suPHP is intended to run a PHP script using a specific process owner. When 
configured in "owner" or "paranoid" mode this always will be the owner of the 
file, but in any case it will be executed having the same owner as the parent 
directory (if it isn't owned by root).

This can be (and I think in most cases is) used in multihosting environments 
to prohibit the users from reading other user's files on an operating system 
level.

But there is a big security problem with this solution. Not only an 
exploitable PHP script can modify itself, but it is also possible for an 
attacker to compromise the user's configuration files. E.g. a bad guy could 
place a key logger in the user's .profile file. Or even simpler, fake a failed 
login to retrieve the user's password.

A solution can be to execute the PHP process only with the user's group and a 
restricted "nobody" user. Sadly, suPHP wouldn't allow the script to be 
executed if it and it's parent directory are not owned by the nobody user. Not 
a very satisfying situation if you need the system administator's help to 
modify your site.

My suggestion is to distinct between the user/group the script is executed 
with and the user/group the script have to be owned by. The attached patch 

Re: Suggestion: distinguish between script owner and process owner

Hi,

Sorry, there was a copy&paste error in the attached patch. Here's a fixed 
version.

Best regards,

Roland

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Re: How to allow execution of scripts owned by a member of a group

Hi,

Am Donnerstag 22 Juli 2010, 14:58:20 schrieb Uwe Baumbach:
> is it possible to configure suPHP so, that a scripts would be executed
> under following circumstances: - script directory ist owned by user A of
> group GRP-A
> - in the directory some PHP-scripts belongs to user A of GRP-A, other to
> user B of the same group GRP-A - all scripts are writeable/executable by
> owner and group (GRP-A) (but not by all users) ??

I had the same problem. The attached patch adds a comparision of the primary 
group of the file/directory with the target user's primary group if the pure 
ownership check failed. I think this is a better solution as to totally 
disable this check.

Best regards,

Roland

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Re: Suggestion: distinguish between script owner and process owner

Hi all,

no feedback about this?

Best regards,

Roland

Invitation to connect on LinkedIn

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Internal Error

  Hi suphp mailing list,

I am making my first experiences with suphp. So far I was having some 
configuration issues which I could manage based on the suphp.log however 
I am still not able to make suphp running. As you can see I am getting 
an internal server error which does not help me much since the suphp.log 
file is empty. I am writing to this mailing list to ask how to debug / 
troubleshoot this issue.

D4:apache <at> spquist1p:prod01$ ls -l /opt/suphp/0.7.1/sbin/suphp
-rwsr-xr-x 1 root root 2047153 Sep  5 02:23 /opt/suphp/0.7.1/sbin/suphp
D4:apache <at> spquist1p:prod01$ ls -l /var/opt/apache/log/suphp.log
-rw------- 1 root apache 0 Sep  5 02:35 /var/opt/apache/log/suphp.log
D4:apache <at> spquist1p:prod01$ cat /opt/apache/2.2.16/conf/httpd.conf
...
LoadModule suphp_module       modules/mod_suphp.so
<IfModule mod_suphp.c>
     suPHP_Engine on
     suPHP_ConfigPath /opt/suphp/0.7.1/conf/suphp.conf
     AddType application/x-httpd-php .php
     AddHandler application/x-httpd-php .php
     DirectoryIndex index.php
<Location />
         suPHP_AddHandler application/x-httpd-php
</Location>
</IfModule>
...

Thank you for your feedback.

Regards,
David

[global]
;Path to logfile
logfile=/var/opt/apache/log/suphp.log

;Loglevel
loglevel=error

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=${HOME}

;Path to chroot() to before executing script
chroot=${HOME}

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=true
allow_directory_group_writeable=true
allow_directory_others_writeable=true

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=true

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=1600
; Minimum GID
min_gid=1600

[handlers]
;Handler for php-scripts
application/x-httpd-php="php:/opt/php/current/bin/php"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Automatic RH update enables php

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Re: Automatic RH update enables php

On Tue, 2010-09-14 at 14:28 +0200, Niels Postma | FoolProof wrote:
> Yesterday I noticed suPHP was not working properly and when I looked
> in /etc/httpd/conf.d/ I noticed a new php.conf. I think this was
> caused by an automated RHN update. Does anyone know a way to prevent
> this from happening? I remember to have read something about this
> issue, but I can’t find it anymore.

On a new system:

cp /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.orig
echo "# Dummy file" >> /etc/httpd/conf.d/php.conf

Smile and go about your business :)

If the file does not exist, an RPM or yum update will reinstall it. If
it exists and contains any content it will be ignored, and the new one
created as php.conf.rpmnew

Graeme

_______________________________________________
suPHP mailing list
suPHP <at> lists.marsching.com
https://lists.marsching.com/mailman/listinfo/suphp

Question

Hi,

  Apart from asking and hoping their answer is honest, is there
  another way of knowing if a server is running suPHP?
  I have a shared account with inmotionhosting.com

--
Saludos,
Guillermo
mailto:gcasanova@...

Re: Question

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp