grsecurity forums

Hello,

I'd like to enhance security of my multi-user webserver.


Every user has an Apache VirtualHost and a directory in /home/$USERNAME and can place HTML, PHP and CGI scripts there.

The problem: CGI scripts run under the user apache. This way a user can create a CGI-script

Code: Select all

#/usr/bin/perl

print "Content-type: text/plain\n\n";
print `cat /home/$OTHERUSER/secret.file;


Apache must have access to "secret.file", perhaps it is a php include containing database password.

I cannot find a solution for this security problem. Can grsecurity help me in this case?

crazyhorse wrote:Hello,

I'd like to enhance security of my multi-user webserver.


Every user has an Apache VirtualHost and a directory in /home/$USERNAME and can place HTML, PHP and CGI scripts there.

The problem: CGI scripts run under the user apache. This way a user can create a CGI-script

Code: Select all

#/usr/bin/perl

print "Content-type: text/plain\n\n";
print `cat /home/$OTHERUSER/secret.file;


Apache must have access to "secret.file", perhaps it is a php include containing database password.

I cannot find a solution for this security problem. Can grsecurity help me in this case?

The easiest way for you is chroot entirelly Apache webserver and use ExecCGI Apache function for running scripts from different users for each virtualhost. If you want also secure run PHP scripts from different users, you should compile PHP as CGI and run PHP scripts via ExecCGI too.

I would think you could have a subject for each users directory. Something like

subject /home/user1 o
/
/home/user1 rwxcd
/bin rx
/usr rx

hhmmm I'm not sure if this would work though as the exec might be /usr/bin/perl program.cgi

axehind

thanks for your replies. i think i need the suexec wrapper - damned overhead.