[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Fri May 4 02:39:57 UTC 2007
Dan Mensom <mensomman at yahoo.com>

--- Scott Lamb <slamb at slamb.org> wrote:

> [ Hilariously simple exploit ]
> 
> There is no way to distinguish between mod_ruid calling setuid() and
> mod_php (which runs in the same process) doing so.

Hahahaha. Very nice.

> The proxied Apache or FastCGI setups are *MUCH* more secure.

Ok, so at the end of the day FCGI was quite a bit different than the
FastCGI writups, plus I wanted to maintain my current selinux posture (no
shell scripts executed by daemons, since most shellcode tries to execute,
um shells).

Interestingly enough, the citi-fan.org repo maintainer is the author of
the fcgi SRPM you linked. Turns out, he provides not only RPMS for rhel5,
but also a selinux policy for it. Respekt 2 city-fan! 

http://www.city-fan.org/ftp/contrib/yum-repo/

For the benefit of the archives, here is the quick rundown of what I did,
following mostly the docs at http://fastcgi.coremail.cn/doc.htm:

-1. rm /var/log/audit/audit.log
0. /etc/init.d/auditd restart
1. yum install mod_fcgid-selinux
2. setenforce 0 (to make adapting my custom policy easier, since there are
always mods to this stuff)
3. mkdir /var/www/cgi-bin/vhostuser1
4. cp /usr/bin/php-cgi /var/www/cgi-bin/vhostuser1
5. chown -R vhostuser1:vhostuser1 /var/www/cgi-bin/vhostuser1
6. chmod 755 /var/www/cgi-bin/vhostuser1
7. Add "SuexecUserGroup vhostuser1 vhostuser1" to vhost1's VirtualHost
block
8. Add this block right after the vhost directive:
<Directory /data/web/vhostuser1/virtual.host.one>
AddHandler fcgid-script .php
FCGIWrapper /var/www/cgi-bin/vhostuser1/php-cgi .php
Options +ExecCGI
allow from all
</Directory>
9. semodule -b /usr/share/selinux/targeted/enableaudit.pp
10. /etc/init.d/httpd reload
11. Browse php scripts, database connects, etc
12. audit2allow -M my_fcgi < /var/log/audit/audit.log
13. installed that module with the on-screen instructions audit2allow
prints
(see RHEL5 selinux section for more details).
14. semodule -b /usr/share/selinux/targeted/base.pp

Steps 9 and 14 are required because some selinux messages are superfluous
and are marked dontaudit, but for this setup a couple of these messages in
my case were actually required permissions for this setup.

Note also this is only a from-memory sketch of that I did. You are advised
to read the documentation for fcgi, and perhaps some other howtos from
linked from this thread as well. In particular, I found these useful,
though the FCGI apache config syntax is different than FastCGI:

http://ckdake.com/projects/documentation/php_security
http://www.seaoffire.net/fcgi-faq.html

Note that I did not bother with their shell script wrapper, because I feel
the environment variables they set were irrelevant, given that I use
selinux and fcgi auto-adapts to load. Also, running shell-scripts from
daemons is a no-go with selinux (unless you want to remove a good deal of
the benefit selinux provides).

> > I guess this is the way to go if you don't want t implement some
> > kind of virtual machines (vps/xen/vmware).
>
> Now that is a secure option, though not light-weight of course.

Hrmm.. Not necessarily. Last I checked the Xen people were still in the
process of hardening their kernel APIs to prevent vm guest breakout. I
don't think the process was completed for 3.0, but I could be wrong..


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com