How to jail php?

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
Hello,
For security purposes i need to put PHP in jail, so users could see only
/home/username

Because some users use webshell (such us r57shell) to download different websites on my hosting.
 
I'm not sure how well the openbasedir directive will work to jail shells written in php; you may want to give it a try since you can turn it on or off easily enough from the admin control panel.

If you're using custombuild and php installed as CGI, then your users will be able to cd into directories, and even read the contents of the /home directories of other users, but only if they know what they're looking for; by default other users' directory contents won't be visible. However this will NOT keep your users out of viewing other directories and files, for example in /etc.

Jeff
 
Disable dangerous PHP functions or chroot PHP with suPHP and webshells won't work :)
 
Disable dangerous PHP functions or chroot PHP with suPHP and webshells won't work :)

But with suPHP .htaccess in not readable :(

OpenBaseDIR is ON
I tried to turn it OFF, but webshells still can view /etc/; /usr/ and other dirs.

On my friend's server is installed cPanel, and webshells don't work there..
How it is posible?
 
What do you mean its not readable. I use suphp and .htaccess works fine?
 
After installing suphp i get "Internal Server Error 500", if public_html contains .htaccess file. If I delete htaccess - everything works.
 
What error do you see in the apache error log?
 
Here is one of the websites: http://cats-bengal.com/
Apache Error Log:
Code:
Sat Dec 13 00:52:23 2008] [alert] [client 86.100.101.70] /home/bengals/domains/cats-bengal.com/public_html/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration
 
So it is reading .htaccess. You just have an invalid command in it.
 
Here is my htaccess:
Code:
AddDefaultCharset windows-1251
php_value display_errors 1 
php_value error_reporting 2037
php_flag allow_url_fopen ON
 
Last edited:
suPHP is not for me.
Its to hard to make all websites work as usual.
Some of them drop "Internal Server Error" or "Forbidden"...
I removed it.
Is there any other solutions?
 
I'm writing a deep technical guide for Apache2/FastCGI/APC, using suexec through FastCGI to spawn php-cgi processes instead of suPHP.
The guide will be finished shortly and I'll publish it on this forum too.

Just to be clear on the topic, running PHP as the user is very important but won't stop anyone from running r57shell or any other webshell script.
The only way to prevent that is by forbidding any function that can potentially launch a process, by putting this line on all php.ini:
Code:
disable_functions = "apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, disk_free_space, diskfreespace, dl, highlight_file, ini_alter, ini_restore, openlog, passthru, phpinfo, proc_nice, shell_exec, show_source, symlink, system, exec, fsockopen, popen, proc_open"
You will notice also many functions that can be used to do reconnaissance.
Those functions are usually not used by any "good" script, and can breach your security in many ways.
By good scripts I mean scripts that are not evil/dangerous, but also scripts that are well written. If you have some trustful software that wants to use them, ask its developers to find an alternative: there often is.
 
Thanks.
I disabled those functions.
Could you give me a link to your guide, when you'll finish it?
 
Back
Top