[Cerb-list] Securing Apache+PHP with cerb.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
Some background first:
i'm running hosting services to customers basing on Apache and PHP.
I've notice problem with securing php scripts from reading by others 
customers.
directory layout is something like this: (in brackes are owners)
/home/dynwww (root)
/home/dynwww/s (root)
/home/dynwww/s/si (root) 
/home/dynwww/s/si/site.domain.pl (siteuser).

Apache is running as user www.

My first attemtp was to get owner of cdir and compare it to owner of opening 
file:

#v+
	if ((syscall == SYS_open && (ruid == GET_UID("www"))) ) {
#v- 

it was ok since i've changed dir to /etc for example.
cdir owner become root, and i was able to read root files ( as long as permissions
allowed that).
after all i've catch SYS_chdir and wrote policy for it so www can change
directory to only some locations (like /tmp).
It looks like everything was ok, but wasn't. 
Apache was serving many files as one process so i've to changed

#v+
	MaxRequestPerChild 1.
#v-

It's passed firsts tests but i've some problems with session handling, and 
user-writed files.

Does anyone tried to deal with this kind of problem ? 
All comments, sugestions, cules are welcome.
I'll try to rewrite whole rules after Your sugestions.

It didn't attach my rules because code with in is brainfucking, and i think my
approach is still wrong.

- -- 
	Pawel Rutkowski			Centauri RSC
	+48 22 853 0 444		http://www.rsc.pl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+v5JgaDcb2WrrB7QRAuKEAJ91V0KKvGiRlEtL2N8mLOlOS1nPAACfXY/d
c32gQqKW95+8ZjBE+mwDNlY=
=ezQ4
-----END PGP SIGNATURE-----