Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th April 2013, 13:08
Xenocide Xenocide is offline
Member
 
Join Date: Sep 2010
Posts: 56
Thanks: 12
Thanked 8 Times in 7 Posts
Default SuPHP vs mod_php vs FastCGI

Hi Guys,

I found a shell (c99) on one of our servers recently and thought i'd have a bit of a poke around with it before deleting it this time. All our sites run with suphp on this server. This file was uploaded via FTP so it's not the suphp's fault; however I was quite alarmed to see that I can browse most of the file system of the server from this shell (eg I can view /etc/passwd) however if I change the site to use mod_php, then I can't browse to these directories.

I thought the point in suphp was that it wouldn't allow any files to be opened not owned by the webx/clientx user/group.

Is this a config error on this server or have I misunderstood something?

Examples available if you'd like to see. Cheers.
Reply With Quote
Sponsored Links
  #2  
Old 16th April 2013, 14:32
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,389 Times in 4,234 Posts
Default

Quote:
I thought the point in suphp was that it wouldn't allow any files to be opened not owned by the webx/clientx user/group.
The purpose of suphp is to run a script under a different user. If a file can be opened by this user or not is defined by the linux file permissions and ownership of that file.

For example /etc/passwd is a file that is world readable on all linux systems, so you can read it as any user. So its not suphp's fault that you can open it. The file that contains the sensitive data (passwords) is /etc/shadow and not /etc/passwd and the /etc/shadow file can not be opened.

mod_php is not as secure as suphp or php-fcgi + suexec as mod_php runs the scripts as aopche / www-data user which allsows a attacker to access all files of all other sites even if they are set chmod 600. php-fcgi + suexec is the recommended setting as it runs scripts as web user but is much faster then suphp.

That you cant open some files with mod_php indicates that you might have disabled functions wth php_admin value or similar or that you disabled functions in the php.ini for mod_php but not in the one used by suphp or php-fcgi.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Xenocide (16th April 2013)
  #3  
Old 16th April 2013, 15:02
Xenocide Xenocide is offline
Member
 
Join Date: Sep 2010
Posts: 56
Thanks: 12
Thanked 8 Times in 7 Posts
 
Default

Ok that's great - thank you Till. That give me something to look into. Appreciated very much as usual. Cheers!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
suphp from fastcgi causes 500 error wolfric Installation/Configuration 7 6th April 2013 03:18
Listing Directories and CGI vestport4 Server Operation 3 15th May 2012 15:11
SSL Problem vlados Installation/Configuration 8 31st January 2011 13:06
Custom PHP.ini for ISPC3 with Suphp and FastCGI ethanlifka Tips/Tricks/Mods 0 7th March 2010 03:14
Goal: user separation (but apache can't read what suPHP wrote) berny Installation/Configuration 1 26th April 2008 18:22


All times are GMT +2. The time now is 00:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.