Results 1 to 18 of 18
  1. #1

    Secure PHP resellers

    As far as I know most accounts sold today are with php security flow. (Anybody on the same server can view any php file, including config file with database passwords)

    Are there any hosting companies with reseller option, who have solved this problem and offer accounts with improved php security?
    All generalizations are false, including this one.

  2. #2
    Join Date
    Jul 2002
    Posts
    541
    Really? I thought latest PHP updates solved that. 4.2.2, wasn't it?

    -WC-

  3. #3
    Join Date
    Sep 2002
    Location
    Buckinghamshire, UK
    Posts
    342
    As far as I know the only two ways to solve theis problem is to either use php as a CGI binary and use Apache with SuExec or use a virtual dedicated server...

    Apache2 is set to have options which allow each request to setuid/setgid to any user specified in the config files but I don't think this is supported yet.
    hosting53.com - the hosting solutions company

  4. #4
    Originally posted by WildCard
    Really? I thought latest PHP updates solved that. 4.2.2, wasn't it?

    -WC-
    How it solved it? PHP is executed as nobody, so it have access to all files with same rights on that server. Even if you run it in safe mode - other user can access your files via ssh.
    All generalizations are false, including this one.

  5. #5
    If the permissions are current, you'll get something like this:

    [email protected] [/home/user/www]# cat file.txt
    this is the file content
    [email protected] [/home/user/www]# su otheruser
    bash-2.05$ cat file.txt
    cat: file.txt: Permission denied
    bash-2.05$
    Note: I replaced the actual usernames with 'user' and 'otheruser'. Just a matter of setting the right permissions in /home, really If you use PHP as a CGI binary, i wouldn't recommend it.
    Marc Wyss - [email protected]
    MCHost Inc - Experts in Private Label Reseller Plans
    http://www.mchost.com

  6. #6
    Join Date
    Jan 2002
    Location
    UK
    Posts
    144

    Re: Secure PHP resellers

    Originally posted by sergio
    As far as I know most accounts sold today are with php security flow. (Anybody on the same server can view any php file, including config file with database passwords)

    Are there any hosting companies with reseller option, who have solved this problem and offer accounts with improved php security?
    Voxtreme - http://www.voxtreme.com offer a service which performs in a manner of not allowing you access to other's PHP files.

  7. #7
    Originally posted by Kiwi
    If the permissions are current, you'll get something like this:



    Note: I replaced the actual usernames with 'user' and 'otheruser'. Just a matter of setting the right permissions in /home, really If you use PHP as a CGI binary, i wouldn't recommend it.
    Does it mean that at mchost this kind of security problem with php is solved?
    All generalizations are false, including this one.

  8. #8
    it works on my mchost account. i would not go with any hosting provider that allows others to access my passwords

  9. #9
    Originally posted by xirus
    it works on my mchost account. i would not go with any hosting provider that allows others to access my passwords
    but does php at mchost runs in safe mode? because files can be accessed also from php itself.
    All generalizations are false, including this one.

  10. #10
    Join Date
    Sep 2002
    Location
    Buckinghamshire, UK
    Posts
    342
    Ok, note to everbody... and someone, please correct me if I'm wrong.

    But Apache will run under a user and group (usually www/www)....

    Now, php scripts under mod_php will run at whatever user apache runs under (in this case www).

    In order for apache to read and execute the php files it (www/www) must have permissions to access the file.

    So, everybody's php files will have to be readable by www.

    So whether you can directly access someone's file using a file manager or SSH is irrelevant, you could still write a script that reads everybody elses scripts when run. This is because your script will be run under the apache user so it will have access to everybodys scripts.

    The only way to avoid this with apache1 is to use PHP as a cgi binary and compile Apache with SuExec.

    Again, if someone can tell me why I'm wrong please do, I'd be very interested.

  11. #11
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,510
    There is no fix as yet, apart from Apache 2 and CGI mode.
    These host that use open_basedir and safemode etc... are doing something completely pointless. You just have to script a Perl script with .pl (that uses mod_perl) and then you've got around it.
    MattF - Since the start..

  12. #12
    Join Date
    Nov 2000
    Location
    Dundee, UK
    Posts
    1,366
    what if mod perl isnt enabled on the server?

  13. #13
    Join Date
    Jun 2002
    Location
    TO, Ontario, Canada
    Posts
    372
    I'd like to know if having safemode enabled without mod perl and SSH enabled would fix it?

    Anyone found a viable workaround? Would putting safemode on and use Apache with SuExec fix the issue?

  14. #14
    Join Date
    May 2002
    Location
    San Francisco Peninsula
    Posts
    22
    On many servers including my own, you can run PHP scripts in CGI mode, even without having a separate CGI installation of PHP. Since my server runs suEXEC, this allows you to CHMOD 700 to keep your script secure. Just include #!/usr/bin/php at the top of the script, and do any of the following:
    place it in cgi-bin, OR use a .cgi exension, OR include an .htaccess file with AddHandler cgi-script .php.

  15. #15
    So executing php as cgi with suexec is the only solution?
    All generalizations are false, including this one.

  16. #16
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    Originally posted by YoHost
    On many servers including my own, you can run PHP scripts in CGI mode, even without having a separate CGI installation of PHP.
    How can you run PHP as a CGI without a PHP binary (which means you need the 'CGI installation of PHP', or compiling PHP w/o the apxs option)?
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  17. #17
    Join Date
    Nov 2000
    Location
    Dundee, UK
    Posts
    1,366
    The user should be able to just use /usr/bin/php if they know what they are doing they can compile their own php in there directory.

  18. #18
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    Originally posted by SplashHost.com
    The user should be able to just use /usr/bin/php if they know what they are doing they can compile their own php in there directory.
    PHP doesn't compile by default with a php binary (/usr/bin/php). You have to compile without the apxs option. Some control panels may install a php binary on their own, but that doesn't mean it's a default install to the apache module.

    And yes, they can install their own php binary if they know what they're doing. Couple that with suexec and you're golden.
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •