Securing PHP

21/10/2007, 02h00

Hi all,

You've all likely heard this before...."I was hacked..." , "Had register
globals on..." etc etc.

Well, this is true of me as well.

Does anyone know of a site that would a semi professional lock down
php, i.e.

Perhaps how to install phpsuexec,

Jail users to only have the ability to read/write to thier own files and
directories,

php.ini directives that have simiar affect as mentioned above.

Any appreciated.

-Grant

21/10/2007, 02h44

Are you running a multi-user hosting service?

If so you can create include files on a per-user or per-domain basis.
Use the Apache config directive php_value to set your include_path and
open_basedir appropriately for each account; and other options as
desired.

I don't know of a particular site, but that is the config framework that
Plesk uses.

As for building PHP, make sure you run the testing battery ('make test'
after you 'make' and before you 'make install') in order to see how
'hardened' your build is.

On Sat, 2007-10-20 at 21:00 -0400, Grant wrote:
> Hi all,
>
> You've all likely heard this before...."I was hacked..." , "Had register
> globals on..." etc etc.
>
> Well, this is true of me as well.
>
> Does anyone know of a site that would a semi professional lock down
> php, i.e.
>
> Perhaps how to install phpsuexec,
>
> Jail users to only have the ability to read/write to thier own files and
> directories,
>
> php.ini directives that have simiar affect as mentioned above.
>
> Any appreciated.
>
> -Grant
>

21/10/2007, 13h11

Hi Nathan,

Thanks for taking the time to reply.

Yes, this is a shared server. Each (UNIX) user's home directory is thier
domain name i.e. /home/usersdomainnamehere.com and thier http root is www
i.e. /home/usersdomainnamehere.com/www

I am running apache 2. and mod_php. Most servers are running php 4.x right
now, but we will be upgrading to 5 soon.

Also, apache is running suexec for perl (cgi).

When files are written via ftp and cgi they are owned by the user who logged
in, and in both cases are limited to writing to thier home directory.

In the case of PHP, the files are owned by www.

Should I consider phpsuexec? Or will the apache directives you mentioned
below take care of it?

-Grant

"Nathan Hawks" <nhawks@gmail.com> wrote in message
news:1192931064.2526.30.camel@dk.localdomain...
> Are you running a multi-user hosting service?
>
> If so you can create include files on a per-user or per-domain basis.
> Use the Apache config directive php_value to set your include_path and
> open_basedir appropriately for each account; and other options as
> desired.
>
> I don't know of a particular site, but that is the config framework that
> Plesk uses.
>
> As for building PHP, make sure you run the testing battery ('make test'
> after you 'make' and before you 'make install') in order to see how
> 'hardened' your build is.
>
>
>
> On Sat, 2007-10-20 at 21:00 -0400, Grant wrote:
>> Hi all,
>>
>> You've all likely heard this before...."I was hacked..." , "Had register
>> globals on..." etc etc.
>>
>> Well, this is true of me as well.
>>
>> Does anyone know of a site that would a semi professional lock down
>> php, i.e.
>>
>> Perhaps how to install phpsuexec,
>>
>> Jail users to only have the ability to read/write to thier own files and
>> directories,
>>
>> php.ini directives that have simiar affect as mentioned above.
>>
>> Any appreciated.
>>
>> -Grant
>>

22/10/2007, 16h40

On 10/20/07, Grant <gpeel@thenetnow.com> wrote:
>
> Hi all,
>
> You've all likely heard this before...."I was hacked..." , "Had register
> globals on..." etc etc.
>
> Well, this is true of me as well.
>
> Does anyone know of a site that would a semi professional lock down
> php, i.e.
>
> Perhaps how to install phpsuexec,
>
> Jail users to only have the ability to read/write to thier own files and
> directories,
>
> php.ini directives that have simiar affect as mentioned above.
>
> Any appreciated.
>
> -Grant

One resource: http://phpsec.org/

~Philip

22/10/2007, 16h50

On 10/22/07, Philip Thompson <philthathril@gmail.com> wrote:
> One resource: http://phpsec.org/

I find it very ful to look at the actual exploits and understand
why they work:

http://www.securityfocus.com/swsearc...ldoc&query=php

--
Greg Donald
http://destiney.com/

21/10/2007, 02h00	#1
Grant Messages: n/a Hébergeur:	Securing PHP Hi all, You've all likely heard this before...."I was hacked..." , "Had register globals on..." etc etc. Well, this is true of me as well. Does anyone know of a site that would a semi professional lock down php, i.e. Perhaps how to install phpsuexec, Jail users to only have the ability to read/write to thier own files and directories, php.ini directives that have simiar affect as mentioned above. Any appreciated. -Grant

21/10/2007, 02h44	#2
Nathan Hawks Messages: n/a Hébergeur:	Re: [PHP] Securing PHP Are you running a multi-user hosting service? If so you can create include files on a per-user or per-domain basis. Use the Apache config directive php_value to set your include_path and open_basedir appropriately for each account; and other options as desired. I don't know of a particular site, but that is the config framework that Plesk uses. As for building PHP, make sure you run the testing battery ('make test' after you 'make' and before you 'make install') in order to see how 'hardened' your build is. On Sat, 2007-10-20 at 21:00 -0400, Grant wrote: > Hi all, > > You've all likely heard this before...."I was hacked..." , "Had register > globals on..." etc etc. > > Well, this is true of me as well. > > Does anyone know of a site that would a semi professional lock down > php, i.e. > > Perhaps how to install phpsuexec, > > Jail users to only have the ability to read/write to thier own files and > directories, > > php.ini directives that have simiar affect as mentioned above. > > Any appreciated. > > -Grant >

21/10/2007, 13h11	#3
Grant Messages: n/a Hébergeur:	Re: [PHP] Securing PHP Hi Nathan, Thanks for taking the time to reply. Yes, this is a shared server. Each (UNIX) user's home directory is thier domain name i.e. /home/usersdomainnamehere.com and thier http root is www i.e. /home/usersdomainnamehere.com/www I am running apache 2. and mod_php. Most servers are running php 4.x right now, but we will be upgrading to 5 soon. Also, apache is running suexec for perl (cgi). When files are written via ftp and cgi they are owned by the user who logged in, and in both cases are limited to writing to thier home directory. In the case of PHP, the files are owned by www. Should I consider phpsuexec? Or will the apache directives you mentioned below take care of it? -Grant "Nathan Hawks" <nhawks@gmail.com> wrote in message news:1192931064.2526.30.camel@dk.localdomain... > Are you running a multi-user hosting service? > > If so you can create include files on a per-user or per-domain basis. > Use the Apache config directive php_value to set your include_path and > open_basedir appropriately for each account; and other options as > desired. > > I don't know of a particular site, but that is the config framework that > Plesk uses. > > As for building PHP, make sure you run the testing battery ('make test' > after you 'make' and before you 'make install') in order to see how > 'hardened' your build is. > > > > On Sat, 2007-10-20 at 21:00 -0400, Grant wrote: >> Hi all, >> >> You've all likely heard this before...."I was hacked..." , "Had register >> globals on..." etc etc. >> >> Well, this is true of me as well. >> >> Does anyone know of a site that would a semi professional lock down >> php, i.e. >> >> Perhaps how to install phpsuexec, >> >> Jail users to only have the ability to read/write to thier own files and >> directories, >> >> php.ini directives that have simiar affect as mentioned above. >> >> Any appreciated. >> >> -Grant >>

22/10/2007, 16h40	#4
Philip Thompson Messages: n/a Hébergeur:	Re: [PHP] Securing PHP On 10/20/07, Grant <gpeel@thenetnow.com> wrote: > > Hi all, > > You've all likely heard this before...."I was hacked..." , "Had register > globals on..." etc etc. > > Well, this is true of me as well. > > Does anyone know of a site that would a semi professional lock down > php, i.e. > > Perhaps how to install phpsuexec, > > Jail users to only have the ability to read/write to thier own files and > directories, > > php.ini directives that have simiar affect as mentioned above. > > Any appreciated. > > -Grant One resource: http://phpsec.org/ ~Philip

22/10/2007, 16h50	#5
Greg Donald Messages: n/a Hébergeur:	Re: [PHP] Securing PHP On 10/22/07, Philip Thompson <philthathril@gmail.com> wrote: > One resource: http://phpsec.org/ I find it very ful to look at the actual exploits and understand why they work: http://www.securityfocus.com/swsearc...ldoc&query=php -- Greg Donald http://destiney.com/

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email