#1  
Old 18th May 2008, 15:54
pjdevries pjdevries is offline
HowtoForge Supporter
 
Join Date: Sep 2006
Posts: 130
Thanks: 7
Thanked 12 Times in 5 Posts
Default Debian suPHP security patch

Last year I crafted a Debian package for suPHP (see topic suPHP in custom Debian package). Last month a Debian security patch was released. Unfortunately the person who manages my system forgot all about the special suPHP package and installed the default Debian package. As can be expected, that caused a few problems.

Because I'm not an experienced Debian software developer, I remember having quite some difficulties figuring out how to create a Debian package and solving all related problems. Unfortunately I didn't document the whole procedure. The quickest solution I could think of for the problematic situation, was to just take the sources of the new Debian package, apply the source modifications, recompile the module and manually replace mod_suphp.so. That seems to have solved the problems for the time being and if I can find the courage and spare the time, maybe I will create a new Debian package later.

The possibility to install the default Debian suPHP package, would obviously be the preferred and less error prone solution for this situation. In fact I don't really know why we need this customized version. Is there anyone who can shed some light on the reason why we can't use the regular Debian suPHP package in combination with ISPConfig?
Reply With Quote
Sponsored Links
  #2  
Old 19th May 2008, 16:22
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Because ISPConfig needs suPHP to be compiled with --with-setid-mode=paranoid.

This link might be interesting: http://www.howtoforge.com/install-su...2.20-and-above
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 19th May 2008, 17:06
pjdevries pjdevries is offline
HowtoForge Supporter
 
Join Date: Sep 2006
Posts: 130
Thanks: 7
Thanked 12 Times in 5 Posts
Default

Thanks for the reply Falko.

I figured that much, but just out of curiosity: why is "--with-setid-mode=paranoid" so essential for ISPConfig? Is that only for additional security? In other words: is the regular Debian package not secure enough? And does that extra security compensate for the extra hassle of having to manually maintain suPHP instead of being able to make use of a standard package?
Reply With Quote
  #4  
Old 19th May 2008, 17:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,216 Times in 4,089 Posts
Default

If I remember correctly, whithout this setting suPHP can not be forced to execute the php files under a specific user via a config directive in the vhost configuration.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 19th May 2008, 18:25
pjdevries pjdevries is offline
HowtoForge Supporter
 
Join Date: Sep 2006
Posts: 130
Thanks: 7
Thanked 12 Times in 5 Posts
Default

Thanks for the additional clarification Till.

You are right. I took a closer look at the suPHP documentation of the latest Debian suPHP package and it says:
Quote:
"paranoid": Run scripts with owner UID/GID but also check if they match the UID/GID specified in the Apache configuration
However, it also says:
Quote:
The default is "paranoid" mode.
So apparantly that doesn't seem to be a valid reason not to use the Debian package.

When I created my package, I used Hans' howto (see How To Set Up suPHP On A Debian Etch Based ISPConfig Server) as a guide line and not the one Falko mentions and it worked just fine. In that howto, some minor modifications are made to mod_suphp.c. I don't see those modifications in Falko's howto though, so apparently they are not very important and maybe not even necessary.

Bottom line: it's still a mystery to me why we can't use the regular Debian suPHP package. I think it's worthwhile though, to make ISPConfig work with the Debian package instead of having to manually update suPHP with each new release. And if I'm not mistaking, we can expect 0.6.3 soon
Reply With Quote
  #6  
Old 19th May 2008, 18:54
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,256
Thanks: 212
Thanked 648 Times in 294 Posts
Send a message via Skype™ to Hans
Default

Modifying the file mod_suphp.c is not necessary anymore from ISPConfig 2.2.20 and up.
Please have a look here for more information: http://www.howtoforge.com/forums/sho...ghlight=2.2.20
suPHP 0.6.3 has been released on 30-3-2008.
__________________
Hans

BB-Hosting | Quality Web Hosting since 2005

Last edited by Hans; 19th May 2008 at 19:20.
Reply With Quote
  #7  
Old 19th May 2008, 19:55
pjdevries pjdevries is offline
HowtoForge Supporter
 
Join Date: Sep 2006
Posts: 130
Thanks: 7
Thanked 12 Times in 5 Posts
Default

Thanks for your contribution as well Hans.

So if I'm not mistaking, the only thing that's different about the Debian suPHP package, is the /etc/suphp.conf file. Or am I still missing something?
Reply With Quote
  #8  
Old 20th May 2008, 23:19
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Quote:
Originally Posted by pjdevries
However, it also says:

So apparantly that doesn't seem to be a valid reason not to use the Debian package.
when we used the Debian package in our tests, Apache was complaining about unknown directives so it seems the Debian package was not built with --with-setid-mode=paranoid.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 21st May 2008, 08:36
pjdevries pjdevries is offline
HowtoForge Supporter
 
Join Date: Sep 2006
Posts: 130
Thanks: 7
Thanked 12 Times in 5 Posts
 
Thumbs up

Thanks for the follow up.

Interesting that the Debian package doesn't 'respect' the default settings. But at least it explains everything.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Booting On PXE And On A Customized Debian System sebastienp HOWTO-Related Questions 7 30th July 2009 21:13
How to update Postfiw With VDA Patch on Debian jerome Server Operation 4 28th April 2008 09:05
Please help me whit bind9 astra2000 Server Operation 12 10th October 2007 02:43
Bind Failed christoph2k HOWTO-Related Questions 4 28th April 2007 00:57
e-mail problem!!! Debian 3.1 maroonworks Installation/Configuration 18 6th December 2005 14:42


All times are GMT +2. The time now is 02:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.