Jailing php and cronjobs

[pcmanjon]

This may not be exactly a newbie question but I don't consider myself an expert and I believe there must be a simple answer someone has come accross, so I'll shoot.

I'm running a server and I've managed to get FTP and shell access jailed (chrooted) to it's home directory. This for the most part will stop snoopers.

We're doing this since we run a third-party server that loads plugins that are proprietary to our service. These plugins are loaded from a plugin.conf in each users directory. The basic gist of what a plugin.conf file is like

/home/shared/plug-bin/plugin.so

This plugin is a plugin we want to keep proprietary to our host for competition purposes and for the most part we've jailed every way to get to it (FTP , SSH)

But... we've noticed someone could easily use a cronjob (we need to have cronjob for our services and users add cronjobs using cpanel) to execute a command to cp the sensitive file (plugin.so) to their home directory and then grab it off with FTP

We've also noticed someone could do something on their website with php to the effect of
<?php system('cp /home/shared/plug-bin/plugin.so /home/theiraccount/'); ?>

and then download it through ftp again there as well.

Is there a way we could jail (chroot) PHP and cronjobs to the users home directory? Is this possible?

I'm really concerned about jailing (chrooting) PHP because thats exactly how one of our attackers gained access to our sensitive file, using system(); in PHP.

Would there be a section in the php.ini file to disable stuff like that? What about with cronjobs?

I'd be greatly appreciative to anyone who can help me sort this out as we don't want our security compromised anymore like this.

[kkubasik]

A better solution to this is probably to change the permissons of your files. Make it so group 'web' (or whatever group you used with apache) cannot access anything but hte www folder. (this should solve the php problem). Basicaly, create an administarive group and change permissons on every folder (sine the /home directory) read=admin/root onyl write==admin/root only and execut==all then the plugins can be used, but not copied or changed by anyone who doest have a user that is part of the administrative group.

[jasonlambert]

See this thread over on WHT about what PHP functions to disable.

http://www.webhostingtalk.com/showth...hreadid=277411

Disabling functions is done by setting "disable_functions" in your php.ini

[pcmanjon]

Thank you! Both of your information was very helpful!

Apache/PHP is now pretty secured following your advice.

Now... is there any way to jail cronjobs that are created through CPANEL, or cronjobs in particular?

By the way, I _love_ what you've done to the site. Last time I visited/posted here was in 2003.

I remember back in 'the day' it didn't have a "portal" on the homepage, it was strictly forums. Of what I remember when it was 'strictly forums' was a logo of a penguin with a mallot/hammer behind it's back ready to hit something. The good ol' days!

Love the changes since then! Great info on the homepage for users just getting interested in linux

[pcmanjon]

ve disabled sensitive commands using the following line in php.ini

disable_functions = sytem, exec, shell_exec, passthru, popen, proc_open, proc_close

That way people can't do sensitive commands. However, it appears it works anyways...

<?php
echo getcwd();
system("cp -f /path/to/sensitive/info/file.txt /home/perpetrator/file.txt");
?>

Think I'm doing something wrong?

[jasonlambert]

did you restart apache after changing your php.ini? I *think* the way it works is when the apache child process is created it loads the php module and it is at this point your php.ini is parsed. Restarting apache causes the child processes to be killed and hence your updated php.ini re-read.

For the chroot cron job thing...
I dont know how the cpanel works, but i would guess your are looking at a programming hack to change the command that the user enters to be prefixed with "chroot <rootdir> ..." (man chroot). As far as im aware there is no "5 minute fix" for this.

Jason