Hello there dear webmasters,
I hope this is the right place to post my question.
I have a question regarding mod_php and virtual hosts.
There is a security problem when you run mod_php on a machine where you have few virtual hosts.
Because of the fact that apache will execute all php commands as the user who runs the apache all created or generated files will be accessible by all other users on the machine. You won't be able to distinguish who runs what.
The very simple example is:
Client of mine running a php script which send emails through sendmail. Because I have mod_php installed all mail being delivered as from apache (this is the user who runs the apache and the php block of course). Now if the mail returns it wont return to the user but to the postmaster.
If I had suexec running on that this mail would have been delivered as the user running the script and all mail problems would have returned to him.
I know that I can switch to cgi-php and to force suexec on all scripts, but this will slow down the performance of the server and probably damage the comfortability of having mod_php (users will have to write php scripts without the ability to embed php into html).
After all mod_php is a very powerful add to the server. In today world where 80% of all websites requires mod_php, removing mod_php is not a good idea.
This question also affects mod_perl.
How do you overcome this problem ?
Is there a way to force mod_php to execute as user defined in virtual host configuration ?
Do you compile mod_php into apache at all ?
I would be more than interested to hear your opinion.
I think it is both.
The main issue is the mail of course but there will be other things like that because the system by default deals with the owner of the process. So now its mail but later it can be anything else.
I can say that the vulunerability of the php comes to that only the files generated by the php process are vulunerable because they are owned by apache and any other apache process has the permission to modify the file. This issue can be avoided by not writing any programs that generates files on the system with vital information, for example databases can be used for this porpoise.
What I want is something like suexec on cgi. By this I can be sure that each virtual host running its own scripts with their permissions only and that there are no shared permission to all users on the system.
There is a lot of discussion about security and other mod_php, mod_perl related problems in the Technical and Security Issues forum. I haven't seen this problem discussed before, though. You might find the solution over there.
Of course, you can always specify the From email address if that is what you want.
Ok I know that the simplest thing that I can do is tell them to use From field.
But what about a generic solution for mod_php can it be run in safe environment and the best environment is the users one.
Is there any way to force mod_php to execute php code under the specific user privileges that is calling to the function. For example to look on the file location and then check the virtual host configuration file to see the User field for example.
The best way is of course suexec but as I know its impossible.
What do you think about leaving it as it is. I mean leave the mod_php running as apache and let all users use it. What are the posibilities for any system abuse, have you heard about any ?
Do you put mod_php on your servers and letting virtual users use it ?