[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wednesday 19 July 2006 20:42, James Fidell wrote: > Ahh, well, on the systems I look after that do shared hosting and > mod_php I have also modified Apache somewhat so that all scripts, > whether PHP, perl or whatever, run as the site-owner, even where they > are executed within Apache itself (as with mod_php), or using fastcgi or > suexec, along with a few other "modifications". suexec is fine - however it's currently impossible to get apache to switch to the site owner to execute within apache itself (i.e, using mod_php) and then switch back [1] (although you could just exit the child process, but that's almost as bad). this is a limitation of UNIX security design rather than linux itself. Aapche can launch different threads/processes for different users - but try that on large scale. I did document a kernel modification to switch a processes owner in real time from a seperate process via the kernel while i was at claranet - the only way it could securely and effectivly be done on large scale. however, this has a number of other downsides, and wouldn't "just work". If you're interested, i can dig out the notes on the idea (or re-write them if i can't find them) - although it requires actually implementing still :) > The machines do still get broken into (allowing anyone to upload any > code they like to a server that supports php is pretty much begging for > this, really), but it doesn't create such a mess when it happens. > > There's more I could do even now, but the pain of handholding thousands > of users through the necessary changes hasn't yet been deemed necessary. i have worked for 3 different companies running from 5k to 200k+ virtual hosts, none of them suffering a single security incident in their history - so don't worry, it *can* be done :) methods can also be put in place to make changes not effect end users - although you will always have a few problems. it all boils down to the cost of support vs how much you loose in way of hacked machines + face value of hacked machines. if you loose no face value (read: can cover it up) and it doesn't cost too much to fix them in way of loosing customers and amdinistration time, then rules of business dictate it's not worth spending 10k on fixing the problem ;) ~ Theo 1 - Even if you did manage to get it to work, it opens up some far, far more dangerous security risks. -- Theo P. Zourzouvillys http://www.crazygreek.co.uk theo@xxxxxxxxxxxxxxxx -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html