From: Przemysław.Orzechowski <prz...@ma...> - 2012-02-29 09:58:14
|
Hi Its not directly Webmin related as im using Virtualmin My system is fresh Ubuntu 10.04 with Virtualmin GPL installed via its install script. PHP is setup to run as FCGI with domain owner and this works ok the only problem i have is that PHP scripts can list for example /var/mail folder contents Is there a way to chroot PHP so it has access only to public_html folder and its subfolders? Preferably one that does not require custom modifications ie paching Apache or suexec and compiling them. Thanks for any suggestions |
From: Andrey R. <anr...@fr...> - 2012-02-29 12:50:00
|
Greetings, Webmin users list! > Its not directly Webmin related as im using Virtualmin > My system is fresh Ubuntu 10.04 with Virtualmin GPL installed via its > install script. > PHP is setup to run as FCGI with domain owner and this works ok > the only problem i have is that PHP scripts can list for example /var/mail > folder contents > Is there a way to chroot PHP so it has access only to public_html folder > and its subfolders? > Preferably one that does not require custom modifications ie paching > Apache or suexec and compiling them. man apparmor ? -- WBR, Andrey Repin (anr...@fr...) 29.02.2012, <16:37> Sorry for my terrible english... |
From: Yehuda K. <ye...@ym...> - 2012-02-29 13:29:34
|
Sorry for top-posting. I am on a mobile device. You might want to look at PHP's open_basedir setting which is built in to PHP and designed to do exactly what you are asking. - Y On Wednesday, February 29, 2012, "Przemysław.Orzechowski" wrote: > > Hi > > Its not directly Webmin related as im using Virtualmin > > My system is fresh Ubuntu 10.04 with Virtualmin GPL installed via its > install script. > PHP is setup to run as FCGI with domain owner and this works ok > the only problem i have is that PHP scripts can list for example /var/mail > folder contents > > Is there a way to chroot PHP so it has access only to public_html folder > and its subfolders? > Preferably one that does not require custom modifications ie paching > Apache or suexec and compiling them. > > Thanks for any suggestions > > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > - > Forwarded by the Webmin mailing list at > web...@li... <javascript:;> > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > -- Sent from a gizmo with a very small keyboard and hyper-active auto-correct. |
From: Andrey R. <anr...@fr...> - 2012-02-29 19:35:10
|
Greetings, Webmin users list! >> Its not directly Webmin related as im using Virtualmin >> >> My system is fresh Ubuntu 10.04 with Virtualmin GPL installed via its >> install script. >> PHP is setup to run as FCGI with domain owner and this works ok >> the only problem i have is that PHP scripts can list for example /var/mail >> folder contents > You might want to look at PHP's open_basedir setting which is built in to > PHP and designed to do exactly what you are asking. This is also possible, although not fully fool-proof. But I still use this setting to further tweak the interpreter behavior. -- WBR, Andrey Repin (anr...@fr...) 29.02.2012, <23:26> Sorry for my terrible english... |
From: Przemysław O. <prz...@ma...> - 2012-02-29 20:04:07
|
Hi and thanks for the answers Unfortunatly the problem still persists I have tried to create custom file for the domain in question in /etc/apache2/suexec/ with custom directory cofig but had no success with that PHP's open basedir is partal solution for me (most of the time it works) but some sites are unfortunatly requiring to be able to run shell programs :/ Beside this users in virtualmin can change local php.ini files so .. I'm searching for as much as possible generic solution for this situation Apparmor seems quite good at this when using mod_apparmor in apache (at least for static content). The problem is i cant figure out a rule for php run via fastcgi wraper (for some rason it is not restricted by rules defined in hat definition for specific site) Would appreciate any help with that. On Wed, 29 Feb 2012 23:28:07 +0400, Andrey Repin <anr...@fr...> wrote: > Greetings, Webmin users list! > >>> Its not directly Webmin related as im using Virtualmin >>> >>> My system is fresh Ubuntu 10.04 with Virtualmin GPL installed via its >>> install script. >>> PHP is setup to run as FCGI with domain owner and this works ok >>> the only problem i have is that PHP scripts can list for example >>> /var/mail >>> folder contents > >> You might want to look at PHP's open_basedir setting which is built in to >> PHP and designed to do exactly what you are asking. > > This is also possible, although not fully fool-proof. > But I still use this setting to further tweak the interpreter behavior. > > > -- > WBR, > Andrey Repin (anr...@fr...) 29.02.2012, <23:26> > > Sorry for my terrible english... > > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list -- Pozdrawiam, Przemysław Orzechowski Administrator Sieci/Network Administrator e: prz...@ma... t: +48 42 683 74 96 MakoLab S.A. ul. Demokratyczna 46, 93-430 Łódź www.makolab.pl Spółka zarejestrowana w Krajowym Rejestrze Sądowym przez Sąd Rejonowy dla Łodzi - Śródmieścia w Łodzi XX Wydział Krajowego Rejestru Sądowego pod numerem KRS 0000289179. Wysokość kapitału zakładowego wynosi 707 473 PLN. Kapitał zakładowy został wpłacony w całości. NIP 7250015526, REGON 471343117 Wiadomość ta jest przeznaczona jedynie dla osoby lub podmiotu będącego jej adresatem i może zawierać poufne lub przywilejowane informacje. Zakazane jest przeglądanie, przesyłanie, rozpowszechnianie lub inne wykorzystywanie tych informacji, jak również podejmowanie działań na ich podstawie, przez osoby lub podmioty inne niż zamierzony adresat. Jeśli otrzymali Państwo tę wiadomość przez pomyłkę, prosimy o poinformowanie nadawcy i usunięcie jej z komputera. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please notify the sender and delete the material from your computer. |
From: Andrey R. <anr...@fr...> - 2012-02-29 23:50:09
|
Greetings, Przemyslaw Orzechowski! > Beside this users in virtualmin can change local php.ini files so .. > I'm searching for as much as possible generic solution for this situation > Apparmor seems quite good at this when using mod_apparmor in apache (at > least for static content). What Apache httpd modules have to do, when you said you're using PHP as fcgi? > The problem is i cant figure out a rule for php run via fastcgi wraper > (for some rason it is not restricted by rules defined in hat definition for > specific site) Of course it doesn't. Read http://en.wikipedia.org/wiki/FastCGI at least. It's more informative than technical, but it giving a good oversight. > Would appreciate any help with that. Would appreciate if you don't top-post. Makes understanding conversation a pain. -- WBR, Andrey Repin (anr...@fr...) 01.03.2012, <03:37> Sorry for my terrible english... |
From: Przemysław.Orzechowski <prz...@ma...> - 2012-03-01 09:50:10
|
On Thu, 1 Mar 2012 03:42:38 +0400, Andrey Repin <anr...@fr...> wrote: > Greetings, Przemyslaw Orzechowski! > >> Beside this users in virtualmin can change local php.ini files so .. >> I'm searching for as much as possible generic solution for this situation >> Apparmor seems quite good at this when using mod_apparmor in apache (at >> least for static content). > > What Apache httpd modules have to do, when you said you're using PHP as > fcgi? Enabled Apache2 modules actions, alias, auth_basic, auth_digest, authn_file, authz_default, authz_groupfile, authz_host, authz_user, autoindex, cgi, dav, dav_fs, dav_svn, authz_svn, deflate, dir, env, fcgid, mime, negotiation, proxy, proxy_balancer, proxy_connect, proxy_http, reqtimeout, rewrite, ruby, setenvif, ssl, status, suexec Other relevant information: in each VirtualHost declaration i have SuexecUserGroup "#1234" "#1234" inside <Directory> directive i have AddHandler fcgid-script .php AddHandler fcgid-script .php5 FCGIWraper /home/domainname/fcgi-bin/php5.fcgi .php FCGIWraper /home/domainname/fcgi-bin/php5.fcgi .php5 >> The problem is i cant figure out a rule for php run via fastcgi wraper >> (for some rason it is not restricted by rules defined in hat definition >> for >> specific site) > > Of course it doesn't. > Read http://en.wikipedia.org/wiki/FastCGI at least. It's more informative > than > technical, but it giving a good oversight. > >> Would appreciate any help with that. > > Would appreciate if you don't top-post. Makes understanding conversation a > pain. > > > -- > WBR, > Andrey Repin (anr...@fr...) 01.03.2012, <03:37> > > Sorry for my terrible english... |
From: Andrey R. <anr...@fr...> - 2012-03-01 23:20:09
|
Greetings, "Przemyslaw.Orzechowski" ! >>> Beside this users in virtualmin can change local php.ini files so .. >>> I'm searching for as much as possible generic solution for this > situation >>> Apparmor seems quite good at this when using mod_apparmor in apache (at >>> least for static content). >> >> What Apache httpd modules have to do, when you said you're using PHP as >> fcgi? > Enabled Apache2 modules > actions, alias, auth_basic, auth_digest, authn_file, authz_default, > authz_groupfile, authz_host, authz_user, autoindex, cgi, dav, dav_fs, > dav_svn, authz_svn, deflate, dir, env, fcgid, mime, negotiation, proxy, > proxy_balancer, proxy_connect, proxy_http, reqtimeout, rewrite, ruby, > setenvif, ssl, status, suexec This one? http://2bits.com/articles/apache-fcgid-acceptable-performance-and-better-resource-utilization.html Bogus... totally. Switch to pure php fcgi, if you REALLY want performance. You can spawn as many interpreters, as you want, and they will not be killed, remaining memory footprint predictable, and execution times low. Or stick with mod_php (either handler or filter - I prefer Apache2 filter module, rather than legacy handler one), if you are not concerned with performance. Or if you so much concerned, that you've already set up a caching frontend, like nginx or varnish. Or, well, move to pure nginx+php/fcgi. -- WBR, Andrey Repin (anr...@fr...) 02.03.2012, <03:10> Sorry for my terrible english... |