--- Scott Lamb slamb@slamb.org wrote:
[ Hilariously simple exploit ]
There is no way to distinguish between mod_ruid calling setuid() and mod_php (which runs in the same process) doing so.
Hahahaha. Very nice.
The proxied Apache or FastCGI setups are *MUCH* more secure.
Ok, so at the end of the day FCGI was quite a bit different than the FastCGI writups, plus I wanted to maintain my current selinux posture (no shell scripts executed by daemons, since most shellcode tries to execute, um shells).
Interestingly enough, the citi-fan.org repo maintainer is the author of the fcgi SRPM you linked. Turns out, he provides not only RPMS for rhel5, but also a selinux policy for it. Respekt 2 city-fan!
http://www.city-fan.org/ftp/contrib/yum-repo/
For the benefit of the archives, here is the quick rundown of what I did, following mostly the docs at http://fastcgi.coremail.cn/doc.htm:
-1. rm /var/log/audit/audit.log 0. /etc/init.d/auditd restart 1. yum install mod_fcgid-selinux 2. setenforce 0 (to make adapting my custom policy easier, since there are always mods to this stuff) 3. mkdir /var/www/cgi-bin/vhostuser1 4. cp /usr/bin/php-cgi /var/www/cgi-bin/vhostuser1 5. chown -R vhostuser1:vhostuser1 /var/www/cgi-bin/vhostuser1 6. chmod 755 /var/www/cgi-bin/vhostuser1 7. Add "SuexecUserGroup vhostuser1 vhostuser1" to vhost1's VirtualHost block 8. Add this block right after the vhost directive: <Directory /data/web/vhostuser1/virtual.host.one> AddHandler fcgid-script .php FCGIWrapper /var/www/cgi-bin/vhostuser1/php-cgi .php Options +ExecCGI allow from all </Directory> 9. semodule -b /usr/share/selinux/targeted/enableaudit.pp 10. /etc/init.d/httpd reload 11. Browse php scripts, database connects, etc 12. audit2allow -M my_fcgi < /var/log/audit/audit.log 13. installed that module with the on-screen instructions audit2allow prints (see RHEL5 selinux section for more details). 14. semodule -b /usr/share/selinux/targeted/base.pp
Steps 9 and 14 are required because some selinux messages are superfluous and are marked dontaudit, but for this setup a couple of these messages in my case were actually required permissions for this setup.
Note also this is only a from-memory sketch of that I did. You are advised to read the documentation for fcgi, and perhaps some other howtos from linked from this thread as well. In particular, I found these useful, though the FCGI apache config syntax is different than FastCGI:
http://ckdake.com/projects/documentation/php_security http://www.seaoffire.net/fcgi-faq.html
Note that I did not bother with their shell script wrapper, because I feel the environment variables they set were irrelevant, given that I use selinux and fcgi auto-adapts to load. Also, running shell-scripts from daemons is a no-go with selinux (unless you want to remove a good deal of the benefit selinux provides).
I guess this is the way to go if you don't want t implement some kind of virtual machines (vps/xen/vmware).
Now that is a secure option, though not light-weight of course.
Hrmm.. Not necessarily. Last I checked the Xen people were still in the process of hardening their kernel APIs to prevent vm guest breakout. I don't think the process was completed for 3.0, but I could be wrong..
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com