1

I host a very small hosting site that hosts a type of chat software. I give each user a /home/ jailed ftp but they have their own www folder they can upload things to.

One of my users uploaded this php file: http://pastebin.com/YAJW8weh - which seems to be able to save php files and allow him to download them.

Using this I think he was able to access some of my files and one of my php files had my MySQL password in the php, which he then gained access to a database with all my clients passwords.

How can I stop this from happening again? What precautions should I take when giving users their own /home/ directory.

Improve this question
2
  • It sounds like you where storing your clients passwords in plain text. That is a bad idea - you should use some kind of encryption to limit the damage should this kind of thing happen again. Commented Nov 7, 2011 at 12:35
  • @Joseph That was true, I combated this specific issue using this method: brianhare.com/wordpress/2011/02/18/… Commented Nov 9, 2011 at 2:33

3 Answers 3

Reset to default
0

You want to disable php for the home folder.

When using PHP as an Apache module (default on Ubuntu 10.04), add the following to your Apache configuration

<Directory /home> php_admin_value engine Off </Directory>

You should probably also use Options -ExecCGI and AllowOverride None there for safety. See the official Apache security tips. If your webserver have other kinds of scripts enabled (like mod_perl), be sure to disable them for the home folder too.

Improve this answer
3
  • I still like them to use php though, just not using certain php abilities. Commented Dec 14, 2010 at 2:25
  • 1
    You may consider using php with suexec, which let the webserver run the users' scripts under the users' account. As long as your have proper permission settings, they will not be able to access your files. You'll need to be very careful about security, though. Commented Dec 14, 2010 at 2:37
  • No! - don't mess with uids! - setup the open_basedir restrictions in the httpd.conf file or .htaccess Commented Dec 14, 2010 at 14:29
1

You'll have to protect your website and Linux/Unix does this very well, set minimal permissions for group and others on your website's root directory:

chmod 0711 /var/virtualhosts/example.com # ls -ald /var/virtualhosts/example.com drwx--x--x 4 example example 4096 Oct 9 08:43 example.com

Restrict access to files in PHP with open_basedir:

# virtual host config php_admin_value open_basedir "/var/virtualhosts/example.com:/tmp" # directory config <Directory /home/bad_user> php_admin_value open_basedir "/home/bad_user:/tmp" </Directory>

Disable dangerous functions from PHP:

# /etc/php.ini disable_functions = "dl,shell_exec,passthru,exec, popen,system,proc_terminate,proc_close,stream_socket_server"

Use su - user to test permissions they have on your website.

su - apache -s /bin/bash cd /var/virtualhosts/example.com ls -al cat /var/virtualhosts/example.com/db.config.php
Improve this answer
2
0

suPHP is really your best bet here. You would setup each user to run their scripts as their own user, then chmod their directories so that other users cannot read them. Do not rely on open_basedir, it's not going to work 100%.

Since you are allowing uploads, you are always going to have to worry about people uploading things they shouldn't. I'd suggest running something like Linux Malware Detect. It alerts you when things like shells and DoS scripts get uploaded to your servers.

Improve this answer
1
  • Yes I actually use a combination of suphp and open_basedir, i have suphp run only in the /home/ dir, and then I have special php.ini that limits them to /home/ but in the /var/www/ and everywhere else i run as mod_php with my standard unsecure php.ini...etc Commented Dec 15, 2010 at 6:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.