open_basedir

Hello,

We do include the code for that, but have it commented out by default. If you want to use it, just run the following:
Code: 
cd /usr/local/directadmin/data/templates
cp virtual_host*.conf custom
cd custom
perl -pi -e 's/#php_admin_value open_basedir/php_admin_value open_basedir/' virtual_host*.conf
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
John
 
Yes, user1 will be jailed to user2, but that also means user1 shouldn't be able to read any of his own files because he's jailed outside of his home. I don't see a problem. I just confirmed this on my own system.

The guy on WHT might have put the open_basedir restriction at the directory level, not the virtualhost level like we do. If you put the restriction inside the <Directory> directive, then it's only applicable there. We've put it right under the <VirtualHost> directive, so it will affect everything globally accessed via domain.com.

John
 
What's the concensus?

Does everyone think this is a good idea?

Or a bad one?

Why?

Jeff
 
Take a look at my virtual_host.conf

Code: 
|?DOCROOT=`HOME`/domains/`DOMAIN`/public_html|
|?CGI=+ExecCGI +Includes||?PHP_SAFE_MODE=ON|
<Directory |HOME|>
	Options +Indexes |CGI|
	<IfModule mod_php4.c>
		php_admin_flag engine |PHP|
		php_admin_flag safe_mode |PHP_SAFE_MODE|
		php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f|USER|"
		php_admin_value session.save_path |HOME|/tmp
	</IfModule>
</Directory>

<VirtualHost |IP|:80> 
|CUSTOM|
	ServerName [url]www.[/url]|DOMAIN|
	ServerAlias [url]www.[/url]|DOMAIN| |DOMAIN|
	ServerAdmin |ADMIN|
	DocumentRoot |DOCROOT|

	User |USER|
	Group |GROUP|
	CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
	CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
	ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log

	<Directory |DOCROOT|>
		AllowOverride All
		Options +Indexes |CGI|
		<IfModule mod_php4.c>
			php_admin_flag engine |PHP|
			php_admin_flag safe_mode |PHP_SAFE_MODE|
		</IfModule>
	</Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>

If user accessed his site via http://serverip/~username/ then directives defined in his <VirtualHost> HAS NO EFFECT.
To cover that we included <Directory |HOME|> section in virtual_host.conf template (outside the <VirtualHost> section). Directives inside this sections will also affect apropriate VirtualHost's (so we even don't need to override sendmail_path in every VirtualHost of every user's domain/subdomain).

But that issue is only one step to make your system more secure. By default DA comes with very weak PHP-related configurations, so one user can acess files of other user's in several ways.

That's very important question I think, so let's discuss it.
Just a few minutes - I'll try to write below a small article about PHP-security...
 
you're not safe with php_opendir anyway!

Oh. That's an old thread :) Hope, someone is still care about security... ;)

DirectAdmin Support, unfortunately, open_basedir it's not a jail - that's not enough to cover php security problems.

So. What I know about php-security.
If you are using mod_php an want to prevent users from accessing each other php-scripts and files you have 3 ways:

1. Use mod_become apache module or similar apache patch (with apache childs running under root). Somebody believes it's harmless, someone believes it's dangerous. It's simple and effective, but I'm still affraid to use that solution.

2. Use open_basedir AND disable ALL exec-related php-functions.
If you not disable this functions user is able to exec their own binary or cgi and that process will able to access any files readable by 'apache' user (php-files of any user for exemple).

3. Use safe_mode and define safe_exec_dir.
I think this way is most secure an flexible. User can't access files owned by other users via PHP. And you can put some binaries in safe_exec_dir if you are sure it's safe (such programs must not operate on any files that user may specify).

Besides that, in cases 2. and 3. you also need to disable FollowSymLinks Option in apache (substitute it with SymLinksIfOwnerMatch). If you don't do that, any user will able to read files readable by 'apache' again (not always, but in many situations). Maybe it's also applied to way 1. too (if mod_become doesn't make possible to use 600 permissions on php-files) - I'm not sure.

And additionally, don't forget - compile php with bundled mysql library or disable "LOAD DATA LOCAL" in mysql.

But after all of that you still need to think twice when you are going to add any additional module to php: if functions of that module is dealing with files _directly_ - it can break your security, because safe_mode or open_basedir restrictions will not work for that functions.

BTW, a few days ago i have implemented small patch to safe mode checks in PHP - and now with safe_mode_gid option it causes much less pain to users and still remains very safe =)

That's all. (Hope, I'm not missed anything... ;)
Any additions, suggestions, solutions and advices are welcome :)
 
hi clayrabbit I agree DA php config is insecure, could you explain how you applied the basedir setting outside the virtual config, you added to main httpd.conf?
 
Found something, is it an option?

I agree with clayrabbit. I've bin looking into this the past few days, and can't get the envoirment secure.

basedir is one thing, but exec, shell_exec etc, ignore this settings. Disabling these features will break (some) scripts. Safe_mode isn't realy a nice option.

I found this maybe someone has experience with this? http://kyberdigi.cz/projects/execdir/english.html

The idea looks good, althought the hacking in the source conserns me.

Found it some more info here: http://www.webhostingtalk.com/showthread.php?threadid=372093&highlight=disable_functions

I know it isn't a problem of DA, but somehow it involves us all, so there is an common interrest :).

Redeye
 
Hello
So is DA realy unsecure even using open_basedir ?

Should i do something more ?

Thx
Sky
 
it's not up to DA

It's not that DA is unsecure. In my opinion DA is secure, BUT......

When you setup a webenviorment with DA, (also without), default it will be not an secure webserver implementation. There are several ways to bypass security for customers on a shared server enviorment. What I learned is that it is not a DA issue, but most panels suffer from this.

I find it very hard to secure everything so that there is a good balance between security and functionality.

I think you can create a secure server, but you have to make some offers to functionality that your customers problably not like.
 
If your question is 'if I enable open_basedir will I be secure' the answer is no. You will be more secure yes but not immune, it just adds a layer of security, you should be adding various layers so it takes longer to peel them away. No server is 100% secure.
 
Ok, thx for your reply's.

I dont like php safe_mode because it is hard for beginners. (i find).
 
ClayRabbit said:
If user accessed his site via http://serverip/~username/ then directives defined in his <VirtualHost> HAS NO EFFECT.
To cover that we included <Directory |HOME|> section in virtual_host.conf template (outside the <VirtualHost> section). Directives inside this sections will also affect apropriate VirtualHost's (so we even don't need to override sendmail_path in every VirtualHost of every user's domain/subdomain).

But that issue is only one step to make your system more secure. By default DA comes with very weak PHP-related configurations, so one user can acess files of other user's in several ways.

That's very important question I think, so let's discuss it.
Just a few minutes - I'll try to write below a small article about PHP-security... [/B]
Click to expand...

Can you help me fix my conf :(

Code: 
|?DOCROOT=`HOME`/domains/`DOMAIN`/public_html|
<VirtualHost |IP|:80>
|CUSTOM|
|?CGI=ScriptAlias /cgi-bin/ `DOCROOT`/cgi-bin/|
        ServerName [url]www.[/url]|DOMAIN|
        ServerAlias [url]www.[/url]|DOMAIN| |DOMAIN| |SERVER_ALIASES|
        ServerAdmin |ADMIN|
        DocumentRoot |DOCROOT|
        |CGI|

        |USECANONICALNAME|

        SuexecUserGroup |USER| |GROUP|
        CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
        CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
        ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log

        <Directory |DOCROOT|>
                Options +Includes -Indexes
                php_admin_flag engine |PHP|
                php_admin_flag safe_mode |SAFE_MODE|
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
        </Directory>
|HANDLERS|
|MIMETYPES|

        php_admin_value open_basedir |HOME|/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/

</VirtualHost>
<VirtualHost |IP|:80>
  ServerName webmail.|DOMAIN|
  ServerAdmin |ADMIN|
  DocumentRoot /var/www/html/squirrelmail
  CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
  CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
  ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log
</VirtualHost>
 
hi

with the commande file_get_contents in php

the guys can see all files on the server

i have activate open_basedir in httpd.conf

php_admin_value open_basedir /home/onesusername:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/

how can i protect it ??

why its dont working with open_basedir on the httpd.conf ??

open_basedir not working yet..
 
Last edited:
You must log in or register to reply here.
Back
Top