Server Fault Asked by bountiful on January 3, 2021
I have a Debian virtual machine server which I have full control over, but I have someone who wants to host a single domain on it. This is obviously a security concern, as even if his particular user cannot read all of the other domain’s files, any script he runs (PHP) on the webserver can. To illustrate:
% ls -l /srv
drwxr-x--x 5 admin admin 4096 Mar 4 13:29 secretsite.com
drwxr-x--x 4 bob bob 4096 Apr 4 12:41 mycoolsite.co.uk
$ su - bob
$ ls /srv/
ls: cannot open directory /srv/: Permission denied
$ ls -R /srv/mycoolsite.co.uk/
/srv/mycoolsite.co.uk:
public
/srv/mycoolsite.co.uk/public:
htdocs
/srv/mycoolsite.co.uk/public/htdocs:
index.php
However:
$ cat /srv/mycoolsite.co.uk/public/htdocs
<?php
echo shell_exec('whoami');
echo shell_exec('ls /srv');
?>
Which outputs in a browser: www-data secretsite.com mycoolsite.co.uk
… not very desirable.
So I decided to use FastCGI and Suexec to make sure bob’s PHP files were executed as him. I was mostly following the instructions given here, but I already have a mass-hosting Apache configuration all set up.
In sites-enabled
I have this configuration file called zz-mass-hosting
:
NameVirtualHost my.ip.address:80
<VirtualHost my.ip.address:80>
<Directory "/srv">
AllowOverride all
</Directory>
AddHandler cgi-script .cgi
UseCanonicalName Off
VirtualDocumentRoot /srv/%0/public/htdocs/
VirtualScriptAlias /srv/%0/public/cgi-bin/
SetVirtualDocumentRoot on
</VirtualHost>
Which works great.
So, for setting up this domain, mycoolsite.co.uk
, specifically I installed through apt: libapache2-mod-fcgid apache2-suexec-custom php5-cgi
I modified /etc/apache2/suexec/www-data
to read: /srv
. With no second line. And created /etc/apache2/conf.d/php5-fastcgid.conf
:
AddType application/x-httpd-php .php
AddHandler php-fcgi .php
Action php-fcgi /fcgi-bin/php5-fcgi
Alias /fcgi-bin/ /home/www-data/
<Location /fcgi-bin/>
SetHandler fcgid-script
Options +ExecCGI
</Location>
/home/www-data/php5-fcgi is:
#!/bin/sh
exec /usr/bin/php5-cgi
with ownership www-data:www-data
. I created /home/www-data/bob
with ownership bob:bob
and copied php5-fcgi
there.
I then created zzz-mycoolsite.co.uk
in sites-available
:
<VirtualHost my.ip.address:80>
ServerAdmin [email protected]
ServerName mycoolsite.co.uk
Alias /fcgi-bin/ /home/www-data/bob/
SuexecUserGroup bob bob
DocumentRoot /srv/mycoolsite.co.uk/public/htdocs/
<Directory /srv/mycoolsite.co.uk/public/htdocs/>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
But when I activate this site, and go to mycoolsite.co.uk/index.php
it still says it is running as www-data
. Can anyone see where I am going wrong?
Most probably ut's because by default the suexec root from debian is compiled with /var/www and you are trying to use of at /srv. See also: How to change suexec root directory from "/var/www" to "/home"?
Answered by Vincent on January 3, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP