Find the answer to your Linux question:
Results 1 to 6 of 6
This may not be exactly a newbie question but I don't consider myself an expert and I believe there must be a simple answer someone has come accross, so I'll ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2003
    Location
    TEXAS
    Posts
    19

    Jailing php and cronjobs


    This may not be exactly a newbie question but I don't consider myself an expert and I believe there must be a simple answer someone has come accross, so I'll shoot.

    I'm running a server and I've managed to get FTP and shell access jailed (chrooted) to it's home directory. This for the most part will stop snoopers.

    We're doing this since we run a third-party server that loads plugins that are proprietary to our service. These plugins are loaded from a plugin.conf in each users directory. The basic gist of what a plugin.conf file is like

    /home/shared/plug-bin/plugin.so

    This plugin is a plugin we want to keep proprietary to our host for competition purposes and for the most part we've jailed every way to get to it (FTP , SSH)

    But... we've noticed someone could easily use a cronjob (we need to have cronjob for our services and users add cronjobs using cpanel) to execute a command to cp the sensitive file (plugin.so) to their home directory and then grab it off with FTP

    We've also noticed someone could do something on their website with php to the effect of
    <?php system('cp /home/shared/plug-bin/plugin.so /home/theiraccount/'); ?>

    and then download it through ftp again there as well.

    Is there a way we could jail (chroot) PHP and cronjobs to the users home directory? Is this possible?

    I'm really concerned about jailing (chrooting) PHP because thats exactly how one of our attackers gained access to our sensitive file, using system(); in PHP.

    Would there be a section in the php.ini file to disable stuff like that? What about with cronjobs?

    I'd be greatly appreciative to anyone who can help me sort this out as we don't want our security compromised anymore like this.

  2. #2
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    A better solution to this is probably to change the permissons of your files. Make it so group 'web' (or whatever group you used with apache) cannot access anything but hte www folder. (this should solve the php problem). Basicaly, create an administarive group and change permissons on every folder (sine the /home directory) read=admin/root onyl write==admin/root only and execut==all then the plugins can be used, but not copied or changed by anyone who doest have a user that is part of the administrative group.
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  3. #3
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    See this thread over on WHT about what PHP functions to disable.

    http://www.webhostingtalk.com/showth...hreadid=277411

    Disabling functions is done by setting "disable_functions" in your php.ini

  4. #4
    Just Joined!
    Join Date
    Jul 2003
    Location
    TEXAS
    Posts
    19
    Thank you! Both of your information was very helpful!

    Apache/PHP is now pretty secured following your advice.

    Now... is there any way to jail cronjobs that are created through CPANEL, or cronjobs in particular?

    By the way, I _love_ what you've done to the site. Last time I visited/posted here was in 2003.

    I remember back in 'the day' it didn't have a "portal" on the homepage, it was strictly forums. Of what I remember when it was 'strictly forums' was a logo of a penguin with a mallot/hammer behind it's back ready to hit something. The good ol' days!

    Love the changes since then! Great info on the homepage for users just getting interested in linux

  5. #5
    Just Joined!
    Join Date
    Jul 2003
    Location
    TEXAS
    Posts
    19
    ve disabled sensitive commands using the following line in php.ini

    disable_functions = sytem, exec, shell_exec, passthru, popen, proc_open, proc_close

    That way people can't do sensitive commands. However, it appears it works anyways...

    <?php
    echo getcwd();
    system("cp -f /path/to/sensitive/info/file.txt /home/perpetrator/file.txt");
    ?>

    Think I'm doing something wrong?

  6. #6
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    did you restart apache after changing your php.ini? I *think* the way it works is when the apache child process is created it loads the php module and it is at this point your php.ini is parsed. Restarting apache causes the child processes to be killed and hence your updated php.ini re-read.

    For the chroot cron job thing...
    I dont know how the cpanel works, but i would guess your are looking at a programming hack to change the command that the user enters to be prefixed with "chroot <rootdir> ..." (man chroot). As far as im aware there is no "5 minute fix" for this.

    Jason

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •