Results 1 to 16 of 16

Thread: How to jail php?

  1. #1
    Join Date
    Sep 2008
    Posts
    35

    How to jail php?

    Hello,
    For security purposes i need to put PHP in jail, so users could see only
    /home/username

    Because some users use webshell (such us r57shell) to download different websites on my hosting.

  2. #2
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,119
    I'm not sure how well the openbasedir directive will work to jail shells written in php; you may want to give it a try since you can turn it on or off easily enough from the admin control panel.

    If you're using custombuild and php installed as CGI, then your users will be able to cd into directories, and even read the contents of the /home directories of other users, but only if they know what they're looking for; by default other users' directory contents won't be visible. However this will NOT keep your users out of viewing other directories and files, for example in /etc.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  3. #3
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    8,184
    Disable dangerous PHP functions or chroot PHP with suPHP and webshells won't work
    Martynas Bendorius
    MC2. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,119
    I never thought of that .

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Sep 2008
    Posts
    35
    Quote Originally Posted by smtalk View Post
    Disable dangerous PHP functions or chroot PHP with suPHP and webshells won't work
    But with suPHP .htaccess in not readable

    OpenBaseDIR is ON
    I tried to turn it OFF, but webshells still can view /etc/; /usr/ and other dirs.

    On my friend's server is installed cPanel, and webshells don't work there..
    How it is posible?

  6. #6
    Join Date
    Aug 2008
    Posts
    4,695
    What do you mean its not readable. I use suphp and .htaccess works fine?

  7. #7
    Join Date
    Sep 2008
    Posts
    35
    After installing suphp i get "Internal Server Error 500", if public_html contains .htaccess file. If I delete htaccess - everything works.

  8. #8
    Join Date
    Aug 2008
    Posts
    4,695
    What error do you see in the apache error log?

  9. #9
    Join Date
    Sep 2008
    Posts
    35
    Here is one of the websites: http://cats-bengal.com/
    Apache Error Log:
    Code:
    Sat Dec 13 00:52:23 2008] [alert] [client 86.100.101.70] /home/bengals/domains/cats-bengal.com/public_html/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration

  10. #10
    Join Date
    Mar 2005
    Posts
    5,283
    So it is reading .htaccess. You just have an invalid command in it.
    Floyd Morrissette Little Creek Hosting
    Web Hosting Solutions. Virtual Private Servers
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  11. #11
    Join Date
    Sep 2008
    Posts
    35
    but how to enable php_value in htaccess with suphp?

  12. #12
    Join Date
    Mar 2005
    Posts
    5,283
    Post the line from .htaccess so we can see it.
    Floyd Morrissette Little Creek Hosting
    Web Hosting Solutions. Virtual Private Servers
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  13. #13
    Join Date
    Sep 2008
    Posts
    35
    Here is my htaccess:
    Code:
    AddDefaultCharset windows-1251
    php_value display_errors 1 
    php_value error_reporting 2037
    php_flag allow_url_fopen ON
    Last edited by Dark; 12-12-2008 at 03:33 PM.

  14. #14
    Join Date
    Sep 2008
    Posts
    35
    suPHP is not for me.
    Its to hard to make all websites work as usual.
    Some of them drop "Internal Server Error" or "Forbidden"...
    I removed it.
    Is there any other solutions?

  15. #15
    Join Date
    Oct 2007
    Location
    Switzerland
    Posts
    862
    I'm writing a deep technical guide for Apache2/FastCGI/APC, using suexec through FastCGI to spawn php-cgi processes instead of suPHP.
    The guide will be finished shortly and I'll publish it on this forum too.

    Just to be clear on the topic, running PHP as the user is very important but won't stop anyone from running r57shell or any other webshell script.
    The only way to prevent that is by forbidding any function that can potentially launch a process, by putting this line on all php.ini:
    Code:
    disable_functions = "apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, disk_free_space, diskfreespace, dl, highlight_file, ini_alter, ini_restore, openlog, passthru, phpinfo, proc_nice, shell_exec, show_source, symlink, system, exec, fsockopen, popen, proc_open"
    You will notice also many functions that can be used to do reconnaissance.
    Those functions are usually not used by any "good" script, and can breach your security in many ways.
    By good scripts I mean scripts that are not evil/dangerous, but also scripts that are well written. If you have some trustful software that wants to use them, ask its developers to find an alternative: there often is.

  16. #16
    Join Date
    Sep 2008
    Posts
    35
    Thanks.
    I disabled those functions.
    Could you give me a link to your guide, when you'll finish it?

Similar Threads

  1. Jail PHP CGI
    By urbee in forum System-Level Technical Discussion
    Replies: 3
    Last Post: 12-14-2011, 01:52 AM
  2. Jail(8)
    By dejine in forum FreeBSD 4.x
    Replies: 0
    Last Post: 09-30-2004, 06:10 AM
  3. Jail?
    By dacsoft in forum DirectAdmin General Discussion
    Replies: 10
    Last Post: 06-21-2004, 06:16 AM
  4. Have anybody DA in the jail?
    By DJSedoy in forum FreeBSD 4.x
    Replies: 5
    Last Post: 06-15-2004, 11:24 AM
  5. SSH Jail
    By jasonyates in forum DirectAdmin General Discussion
    Replies: 4
    Last Post: 11-22-2003, 04:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •