regdude Posted January 27, 2009 Share Posted January 27, 2009 Hi! I recently got a shell code on my Lighttpd web server that uses many virtaul hosts. The php shell code was on one of these virtual hosts, but it had access on all other virtaul hosts and linux files. How could I disallow access out of the folder (like in FTP, you can't see previous directories)? Quote Link to comment Share on other sites More sharing options...
trq Posted January 27, 2009 Share Posted January 27, 2009 While your description isn't particular clear, I think you need to setup and configure a chroot jail. Google it, its not a straight forward task. Quote Link to comment Share on other sites More sharing options...
regdude Posted January 27, 2009 Author Share Posted January 27, 2009 I found that safe-mode makes things like I like with the directory lock. But safe-mode makes some of the functions not to work. Is there a specific option for this way of security? Quote Link to comment Share on other sites More sharing options...
trq Posted January 27, 2009 Share Posted January 27, 2009 Still, your description leads something to be desired. Maybe your looking for the open_basedir directive? Again, if you better described your problem we could likely offer more help. Quote Link to comment Share on other sites More sharing options...
regdude Posted January 27, 2009 Author Share Posted January 27, 2009 Well, the problem is that a PHP shell can get to the actual root of the system which also includes access to all other virtual hosts on this web server. I need to disallow access from one virtual host to another. Safe-mode does this, but that makes problems to available intergrated PHP functions. Can I use open_basedir with virtual hosts? I got this setting wrong and as a result I had a 404 error everywhere. Maybe .htaccess in the root of virtual host could do the trick? Quote Link to comment Share on other sites More sharing options...
trq Posted January 27, 2009 Share Posted January 27, 2009 You could use something like.... <Directory "/var/www/vhostname"> php_value open_basedir "/var/www/vhostname" </Directory> within your virtual host configuration. Quote Link to comment Share on other sites More sharing options...
regdude Posted January 27, 2009 Author Share Posted January 27, 2009 This is lighttpd Ok, but I ran in to a problem anyway, the virtual host syntax differs. This is how it looks it lighttpd: $HTTP["host"] == "x" { server.document-root = "/var/www/x/htdocs" server.errorlog = "/var/log/lighttpd/x/error.log" accesslog.filename = "/var/log/lighttpd/x/access.log" server.error-handler-404 = "/error.php" } Also, .htaccess with: php_value open_basedir "/var/www/music.ngames.lv/htdocs" doesn't work, the shell still has access out of the virtual host. Quote Link to comment Share on other sites More sharing options...
trq Posted January 27, 2009 Share Posted January 27, 2009 This is lighttpd Sorry, Ive not used it. Also, .htaccess with: Code: [select] php_value open_basedir "/var/www/music.ngames.lv/htdocs" doesn't work, the shell still has access out of the virtual host. That is becasue it is not valid within a .htaccess file. Quote Link to comment Share on other sites More sharing options...
mpiekarski Posted January 29, 2009 Share Posted January 29, 2009 Honestly, If you are using PHP on a server, I suggest using suPHP / suExec. And if you want to go really paranoid about it, use it under a chroot jail as mentioned. suPHP Information: www.suphp.org/ http://www.markgrenham.com/articles/howto_lighttpd_and_suphp http://www.itc.virginia.edu/server/web/php/suphp.html http://howtoforge.com/install-suphp-on-various-linux-distributions-for-use-with-ispconfig-2.2.20-and-above Chroot Information: What is a Chroot? http://www.rootprompt.org/article.php3?article=10883 http://www.cyberciti.biz/tips/ultimate-lighttpd-webserver-security.html If you are anything like me, when researching how to do something, no single how-to or About is going to suffice. Thats why I am just linking to several different sites. Essentially, suPHP forces php to run as a particular user and ONLY that user (this can be done per-vhost so ONLY the user owning that vhost can access the php files for that site). Added protection would be implementing a chroot jail. Implementing a chroot jail for your web server will isolate the service to a particular location on the filesystem. The service may be able to access files below its spot on the file system but will typically not be able to get above its location. (ex. if you hate lighttpd chrooted to /vhosts/mydomain.tld, it will be able to access /vhosts/mydomain.tld/www-data/images but it will not be able to access /vhosts/myotherdomain.tld). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.