Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th August 2008, 23:35
FractalizeR FractalizeR is offline
Member
 
Join Date: Aug 2008
Posts: 44
Thanks: 0
Thanked 2 Times in 2 Posts
Default How to prevent users from reading not owned folders?

Hello.

That would probably a lamer question, but we all learn...

I have Apache 2.2 in mpm-worker and PHP 5.2.6 installed as Apache module. Is there a way to restrict users access from PHP scripts to their folders on such configuration?

Currently I know two ways of solving this problem: Apache mod_suexec and PHP suphp. But it seems, that they both require CGI.

Is there a way to solve my problem on my specific Apache configuration? If no, which are the choices I have?
Reply With Quote
Sponsored Links
  #2  
Old 28th August 2008, 10:32
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

- The most comon choice is suphp, but it is slower as it uses php as cgi.
- Another possibility is to enable php safemode in your current setup for the sites, but there are still php based cms systems out there that are not compatible with the safe mode.
- A third possibility might be to use suphp + php as fcgi, but I did not test such a combination yet and it requires modifications in the ispconfig sources.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 28th August 2008, 10:51
FractalizeR FractalizeR is offline
Member
 
Join Date: Aug 2008
Posts: 44
Thanks: 0
Thanked 2 Times in 2 Posts
Default

So, do I understand correctly, that there is actually no way of keeping PHP running as Apache module and at the same time keeping it secure? fcgi seem to be cgi and I will not be able to run APC on server, right?

safe_mode of PHP is not a good idea. It is already removed from PHP6 and should be considered deprecated I think.
Reply With Quote
  #4  
Old 28th August 2008, 11:04
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Quote:
Originally Posted by FractalizeR View Post
So, do I understand correctly, that there is actually no way of keeping PHP running as Apache module and at the same time keeping it secure?
Yes and no. If you can live with the restrictions of safemode, it is fairly secure.

Quote:
fcgi seem to be cgi and I will not be able to run APC on server, right?
fcgi is not the same as cgi, as fcgi uses a constantly running instance of PHP. I'am not sure if APC is working with this setup. Falko did many tests with php caches in the last time, maybe he can give an answer to this question.

Quote:
safe_mode of PHP is not a good idea. It is already removed from PHP6 and should be considered deprecated I think.
I know. Safemode is a kind of bundle of security mechanisms. From php6 on you can not set them with a single safemode switch, they have to be activated one by one. If php6 is out as final, we will add some code that enables these different functions instead of the sfaemode switch which gives basically the same result.

The problem is that the php developers have not come with a real solution to run mod_php in a really secure way e.g.with different user permissions. The beast and fastest way at the moment might be to use fcgi. fcgi is in benchmarks nearly as fast as mod_php.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 28th August 2008, 12:29
FractalizeR FractalizeR is offline
Member
 
Join Date: Aug 2008
Posts: 44
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Thank you for comments. I will think it over.
In case of mod_fcgi APC is not as effective because opcode cache and user cache are created per each fcgi process. Probably, it is better to wait until PHP6, which will have APC built-in

One more question, if you don't mind. In apache docs is written, that enabling mod_suexec can lead to security wholes if done by non-experienced user. What are the dangers of enabling mod_suexec?
Reply With Quote
  #6  
Old 28th August 2008, 12:44
Grey Grey is offline
Member
 
Join Date: May 2008
Location: Germany
Posts: 70
Thanks: 9
Thanked 18 Times in 15 Posts
Default

As a comment from me:

SafeMode does not restrict a PHP user to his directory. Open_Basedir does that IMHO. Safe mode just restricts use of some security relevant functions in PHP.
Running SuPHP with PHP as CGI might be a bit slower, but as SuPHP uses the PHP CGI effectively (e.g. not opening a PHP instance for every access but re-using one) it is faster than using PHP as CGI in raw form. I'm pretty happy at the moment with the performance of PHP with SuPHP besides having one or two strange side effects.

Greets
Grey
Reply With Quote
  #7  
Old 28th August 2008, 12:56
FractalizeR FractalizeR is offline
Member
 
Join Date: Aug 2008
Posts: 44
Thanks: 0
Thanked 2 Times in 2 Posts
 
Default

Could you please be more concrete, that is interesting?
Which side-effects? And how do you know, that suPHP doesn't open new PHP instance every time? Did you do some testing? I don't see any information about that in suPHP docs.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cacti and ISPConfig: Monitoring Tool VMartins Tips/Tricks/Mods 11 9th August 2008 18:37
NIC Issues latcarf Installation/Configuration 15 6th January 2008 16:45
backup failure.... gilas Installation/Configuration 19 30th October 2007 12:08
Junk mail and spamassassin... sthompson Installation/Configuration 4 27th December 2006 16:11
Prevent users from reading eachothers directories + ISPConfig compatibility Norman General 5 12th May 2006 11:02


All times are GMT +2. The time now is 00:30.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.