How to jail php?

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
Hello,
For security purposes i need to put PHP in jail, so users could see only
/home/username

Because some users use webshell (such us r57shell) to download different websites on my hosting.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
I'm not sure how well the openbasedir directive will work to jail shells written in php; you may want to give it a try since you can turn it on or off easily enough from the admin control panel.

If you're using custombuild and php installed as CGI, then your users will be able to cd into directories, and even read the contents of the /home directories of other users, but only if they know what they're looking for; by default other users' directory contents won't be visible. However this will NOT keep your users out of viewing other directories and files, for example in /etc.

Jeff
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,073
Location
LT, EU
Disable dangerous PHP functions or chroot PHP with suPHP and webshells won't work :)
 

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
Disable dangerous PHP functions or chroot PHP with suPHP and webshells won't work :)
But with suPHP .htaccess in not readable :(

OpenBaseDIR is ON
I tried to turn it OFF, but webshells still can view /etc/; /usr/ and other dirs.

On my friend's server is installed cPanel, and webshells don't work there..
How it is posible?
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
What do you mean its not readable. I use suphp and .htaccess works fine?
 

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
After installing suphp i get "Internal Server Error 500", if public_html contains .htaccess file. If I delete htaccess - everything works.
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
What error do you see in the apache error log?
 

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
Here is one of the websites: http://cats-bengal.com/
Apache Error Log:
Code:
Sat Dec 13 00:52:23 2008] [alert] [client 86.100.101.70] /home/bengals/domains/cats-bengal.com/public_html/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,327
So it is reading .htaccess. You just have an invalid command in it.
 

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
Here is my htaccess:
Code:
AddDefaultCharset windows-1251
php_value display_errors 1 
php_value error_reporting 2037
php_flag allow_url_fopen ON
 
Last edited:

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
suPHP is not for me.
Its to hard to make all websites work as usual.
Some of them drop "Internal Server Error" or "Forbidden"...
I removed it.
Is there any other solutions?
 

tillo

Verified User
Joined
Oct 28, 2007
Messages
862
Location
Switzerland
I'm writing a deep technical guide for Apache2/FastCGI/APC, using suexec through FastCGI to spawn php-cgi processes instead of suPHP.
The guide will be finished shortly and I'll publish it on this forum too.

Just to be clear on the topic, running PHP as the user is very important but won't stop anyone from running r57shell or any other webshell script.
The only way to prevent that is by forbidding any function that can potentially launch a process, by putting this line on all php.ini:
Code:
disable_functions = "apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, disk_free_space, diskfreespace, dl, highlight_file, ini_alter, ini_restore, openlog, passthru, phpinfo, proc_nice, shell_exec, show_source, symlink, system, exec, fsockopen, popen, proc_open"
You will notice also many functions that can be used to do reconnaissance.
Those functions are usually not used by any "good" script, and can breach your security in many ways.
By good scripts I mean scripts that are not evil/dangerous, but also scripts that are well written. If you have some trustful software that wants to use them, ask its developers to find an alternative: there often is.
 

Dark

Verified User
Joined
Sep 15, 2008
Messages
35
Thanks.
I disabled those functions.
Could you give me a link to your guide, when you'll finish it?
 
Top