Find the answer to your Linux question:
Results 1 to 2 of 2
G'day Everyone, I'm using Lighttpd on Debian Squeeze, serving a couple of different PHP pages accessed via different ports: port 80: document root = /var/www/monitor port 81: document root = ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    60

    Webserver (Lighttpd), jail additonal site only


    G'day Everyone,

    I'm using Lighttpd on Debian Squeeze, serving a couple of different PHP pages accessed via different ports:
    port 80: document root = /var/www/monitor
    port 81: document root = /var/www/management

    The management page allows for configuration changes that are held in a configuration file located at: /var/www/management/config/settings.conf

    There is no chroot for this server, the management page requires information from around the file system (as it evolved over time, it has become a little messy). Originally I didn't consider ever serving anyone else's pages...however, I've been asked if I can serve a page on 8080 and for my own security, I want to add a jail for this site as I will also be providing PHP.

    Short of running an additional jailed webserver, is there a way to stop this site from being allowed to go beyond its configured document root? I would also consider an additional (lightweight) webserver that behaves with Lighttpd bound to 8080 if I have limited options. Is there some sort of server root option that can used here?

    If I were to start again, I would consider a virtualised host setup and re-arranging the filesystem to suit my current needs...I'd like to avoid this at this time.

    Cheers,

    Brad

  2. #2
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    60
    Hi again everyone, I believe I've uncovered part of my answer, I need someone to help me join the dots.
    (Please keep in mind I don't understand this exactly)

    The php.ini file contains security settings that I believe can perform most of the security functionality I require. There is a setting called Open_basedir, I think this has to do with limiting where PHP can access the filesystem...

    Doing this for my whole server however would stop my management and monitor sites from working. I also read that in Lighttpd you can use multiple php.ini's for vhost configurations...is this possible if the vhost module is not loaded?

    Even though this isn't a jail as such, I think it does meet my requirement of locking down php so he can't snoop around my filesystem

    What I'm proposing to do is have a php.ini file for my management and monitor sites and a separate one for his site. His would obviously have the restrictions in it

    These are the entries I believe should then be in lighttpd.conf (obviously removing the current fastcgi.server setting)
    Code:
    $SERVER["socket"] == ":80" {
        server.document-root = "/var/www/monitor"
        fastcgi.server    = ( ".php" =>
            ((
                    "bin-path" => "/usr/bin/php-cgi -c /var/www/php.ini",
                    "socket" => "/tmp/php.socket",
            ))
    )
    }
    
    $SERVER["socket"] == ":81" {
        server.document-root = "/var/www/management"
        fastcgi.server    = ( ".php" =>
            ((
                    "bin-path" => "/usr/bin/php-cgi -c /var/www/php.ini",
                    "socket" => "/tmp/php.socket",
            ))
    )
    }
    
    $SERVER["socket"] == ":8080" {
        server.document-root = "/var/www/restricted/troublesome"
    
      fastcgi.server    = ( ".php" =>
            ((
                    "bin-path" => "/usr/bin/php-cgi -c /var/www/restricted/php.ini",
                    "socket" => "/tmp/php.socket",
            ))
    )
    }
    But I also need to know how to configure the restricted php.ini, I had trouble understanding the requirements to lock it down properly...do I need to enable safemode? What directories do I need to put in open_basedir? If I only put his document-root, will that filter onto subdirectories?

    Does anyone have an example of a locked down php.ini that I can use (even if only as a guide)?

    Thank you in advance for any suggestions you might have.

    Cheers,
    Brad

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •