HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Debian suPHP security patch (http://www.howtoforge.com/forums/showthread.php?t=23408)

pjdevries 18th May 2008 15:54

Debian suPHP security patch
 
Last year I crafted a Debian package for suPHP (see topic suPHP in custom Debian package). Last month a Debian security patch was released. Unfortunately the person who manages my system forgot all about the special suPHP package and installed the default Debian package. As can be expected, that caused a few problems.

Because I'm not an experienced Debian software developer, I remember having quite some difficulties figuring out how to create a Debian package and solving all related problems. Unfortunately I didn't document the whole procedure. The quickest solution I could think of for the problematic situation, was to just take the sources of the new Debian package, apply the source modifications, recompile the module and manually replace mod_suphp.so. That seems to have solved the problems for the time being and if I can find the courage and spare the time, maybe I will create a new Debian package later.

The possibility to install the default Debian suPHP package, would obviously be the preferred and less error prone solution for this situation. In fact I don't really know why we need this customized version. Is there anyone who can shed some light on the reason why we can't use the regular Debian suPHP package in combination with ISPConfig?

falko 19th May 2008 16:22

Because ISPConfig needs suPHP to be compiled with --with-setid-mode=paranoid.

This link might be interesting: http://www.howtoforge.com/install-su...2.20-and-above

pjdevries 19th May 2008 17:06

Thanks for the reply Falko.

I figured that much, but just out of curiosity: why is "--with-setid-mode=paranoid" so essential for ISPConfig? Is that only for additional security? In other words: is the regular Debian package not secure enough? And does that extra security compensate for the extra hassle of having to manually maintain suPHP instead of being able to make use of a standard package?

till 19th May 2008 17:16

If I remember correctly, whithout this setting suPHP can not be forced to execute the php files under a specific user via a config directive in the vhost configuration.

pjdevries 19th May 2008 18:25

Thanks for the additional clarification Till.

You are right. I took a closer look at the suPHP documentation of the latest Debian suPHP package and it says:
Quote:

"paranoid": Run scripts with owner UID/GID but also check if they match the UID/GID specified in the Apache configuration
However, it also says:
Quote:

The default is "paranoid" mode.
So apparantly that doesn't seem to be a valid reason not to use the Debian package.

When I created my package, I used Hans' howto (see How To Set Up suPHP On A Debian Etch Based ISPConfig Server) as a guide line and not the one Falko mentions and it worked just fine. In that howto, some minor modifications are made to mod_suphp.c. I don't see those modifications in Falko's howto though, so apparently they are not very important and maybe not even necessary.

Bottom line: it's still a mystery to me why we can't use the regular Debian suPHP package. I think it's worthwhile though, to make ISPConfig work with the Debian package instead of having to manually update suPHP with each new release. And if I'm not mistaking, we can expect 0.6.3 soon :)

Hans 19th May 2008 18:54

Modifying the file mod_suphp.c is not necessary anymore from ISPConfig 2.2.20 and up.
Please have a look here for more information: http://www.howtoforge.com/forums/sho...ghlight=2.2.20
suPHP 0.6.3 has been released on 30-3-2008.

pjdevries 19th May 2008 19:55

Thanks for your contribution as well Hans.

So if I'm not mistaking, the only thing that's different about the Debian suPHP package, is the /etc/suphp.conf file. Or am I still missing something?

falko 20th May 2008 23:19

Quote:

Originally Posted by pjdevries
However, it also says:

So apparantly that doesn't seem to be a valid reason not to use the Debian package.

when we used the Debian package in our tests, Apache was complaining about unknown directives so it seems the Debian package was not built with --with-setid-mode=paranoid.

pjdevries 21st May 2008 08:36

Thanks for the follow up.

Interesting that the Debian package doesn't 'respect' the default settings. But at least it explains everything.


All times are GMT +2. The time now is 10:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.