Roland Tapken | 1 Sep 11:24 2010
Picon

Suggestion: distinguish between script owner and process owner

Hi,

The attached patch is some kind of "proof of concept" to solve a security 
related problem I have with suPHP.

Problem: Run script with file/directory owner threatens the user's files.

suPHP is intended to run a PHP script using a specific process owner. When 
configured in "owner" or "paranoid" mode this always will be the owner of the 
file, but in any case it will be executed having the same owner as the parent 
directory (if it isn't owned by root).

This can be (and I think in most cases is) used in multihosting environments 
to prohibit the users from reading other user's files on an operating system 
level.

But there is a big security problem with this solution. Not only an 
exploitable PHP script can modify itself, but it is also possible for an 
attacker to compromise the user's configuration files. E.g. a bad guy could 
place a key logger in the user's .profile file. Or even simpler, fake a failed 
login to retrieve the user's password.

A solution can be to execute the PHP process only with the user's group and a 
restricted "nobody" user. Sadly, suPHP wouldn't allow the script to be 
executed if it and it's parent directory are not owned by the nobody user. Not 
a very satisfying situation if you need the system administator's help to 
modify your site.

My suggestion is to distinct between the user/group the script is executed 
with and the user/group the script have to be owned by. The attached patch 
(Continue reading)

Roland Tapken | 1 Sep 11:28 2010
Picon

Re: Suggestion: distinguish between script owner and process owner

Hi,

Sorry, there was a copy&paste error in the attached patch. Here's a fixed 
version.

Best regards,

Roland
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Roland Tapken | 1 Sep 11:50 2010
Picon

Re: How to allow execution of scripts owned by a member of a group

Hi,

Am Donnerstag 22 Juli 2010, 14:58:20 schrieb Uwe Baumbach:
> is it possible to configure suPHP so, that a scripts would be executed
> under following circumstances: - script directory ist owned by user A of
> group GRP-A
> - in the directory some PHP-scripts belongs to user A of GRP-A, other to
> user B of the same group GRP-A - all scripts are writeable/executable by
> owner and group (GRP-A) (but not by all users) ??

I had the same problem. The attached patch adds a comparision of the primary 
group of the file/directory with the target user's primary group if the pure 
ownership check failed. I think this is a better solution as to totally 
disable this check.

Best regards,

Roland
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Roland Tapken | 6 Sep 11:14 2010
Picon

Re: Suggestion: distinguish between script owner and process owner

Hi all,

no feedback about this?

Best regards,

Roland
Samuel Hassine | 9 Sep 18:24 2010
Picon

Invitation to connect on LinkedIn

LinkedIn

I'd like to add you to my professional network on LinkedIn.

- Samuel

Samuel Hassine
Computer Networking Professional
Paris Area, France

Confirm that you know Samuel

© 2010, LinkedIn Corporation

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
David D'Acquisto | 5 Sep 12:32 2010
Picon

Internal Error

Hi suphp mailing list,

I am making my first experiences with suphp. So far I was having some configuration issues which I could manage based on the suphp.log however I am still not able to make suphp running. As you can see I am getting an internal server error which does not help me much since the suphp.log file is empty. I am writing to this mailing list to ask how to debug / troubleshoot this issue.





D4:apache <at> spquist1p:prod01$ ls -l /opt/suphp/0.7.1/sbin/suphp
-rwsr-xr-x 1 root root 2047153 Sep  5 02:23 /opt/suphp/0.7.1/sbin/suphp
D4:apache <at> spquist1p:prod01$ ls -l /var/opt/apache/log/suphp.log
-rw------- 1 root apache 0 Sep  5 02:35 /var/opt/apache/log/suphp.log
D4:apache <at> spquist1p:prod01$ cat /opt/apache/2.2.16/conf/httpd.conf
...
LoadModule suphp_module       modules/mod_suphp.so
<IfModule mod_suphp.c>
    suPHP_Engine on
    suPHP_ConfigPath /opt/suphp/0.7.1/conf/suphp.conf
    AddType application/x-httpd-php .php
    AddHandler application/x-httpd-php .php
    DirectoryIndex index.php
    <Location />
        suPHP_AddHandler application/x-httpd-php
    </Location>
</IfModule>
...

Thank you for your feedback.

Regards,
David

[global]
;Path to logfile
logfile=/var/opt/apache/log/suphp.log

;Loglevel
loglevel=error

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=${HOME}

;Path to chroot() to before executing script
chroot=${HOME}

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=true
allow_directory_group_writeable=true
allow_directory_others_writeable=true

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=true

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=1600
; Minimum GID
min_gid=1600

[handlers]
;Handler for php-scripts
application/x-httpd-php="php:/opt/php/current/bin/php"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Niels Postma | FoolProof | 14 Sep 14:28 2010

Automatic RH update enables php

Hi All,

 

I’m running suPHP on a managed RHEL server. To disable normal modphp I renamed the php.conf to php.conf.disabled to prevent it from loading.

 

Yesterday I noticed suPHP was not working properly and when I looked in /etc/httpd/conf.d/ I noticed a new php.conf. I think this was caused by an automated RHN update. Does anyone know a way to prevent this from happening? I remember to have read something about this issue, but I can’t find it anymore.

 

Thanks for your help.

 

 

Niels

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Graeme Fowler | 14 Sep 16:46 2010
Picon

Re: Automatic RH update enables php

On Tue, 2010-09-14 at 14:28 +0200, Niels Postma | FoolProof wrote:
> Yesterday I noticed suPHP was not working properly and when I looked
> in /etc/httpd/conf.d/ I noticed a new php.conf. I think this was
> caused by an automated RHN update. Does anyone know a way to prevent
> this from happening? I remember to have read something about this
> issue, but I can’t find it anymore.

On a new system:

cp /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.orig
echo "# Dummy file" >> /etc/httpd/conf.d/php.conf

Smile and go about your business :)

If the file does not exist, an RPM or yum update will reinstall it. If
it exists and contains any content it will be ignored, and the new one
created as php.conf.rpmnew

Graeme

_______________________________________________
suPHP mailing list
suPHP <at> lists.marsching.com
https://lists.marsching.com/mailman/listinfo/suphp
Guillermo Casanova | 18 Sep 19:11 2010
Picon

Question

Hi,

  Apart from asking and hoping their answer is honest, is there
  another way of knowing if a server is running suPHP?
  I have a shared account with inmotionhosting.com

--
Saludos,
Guillermo
mailto:gcasanova@...
James Hall | 19 Sep 13:17 2010
Picon

Re: Question

echo exec('id');



On Sat, Sep 18, 2010 at 6:11 PM, Guillermo Casanova <gcasanova-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
Hi,

 Apart from asking and hoping their answer is honest, is there
 another way of knowing if a server is running suPHP?
 I have a shared account with inmotionhosting.com

--
Saludos,
Guillermo
mailto:gcasanova-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org


_______________________________________________
suPHP mailing list
suPHP-qhrM8SXbD5JCREYaNQg7v0EOCMrvLtNR@public.gmane.org
https://lists.marsching.com/mailman/listinfo/suphp

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Gmane