Secured hosting on a shared server--impossible?

Re: Secured hosting on a shared server--impossible?

In: <oYOdnUvmY60qTK rfRVn-uA@comcast.com> , "Chung Leong" <chernyshevsky@ hotmail.com> wrote:[color=blue]
>(a) Is it possible to host a PHP site securely using a typical (read
>"cheap") web hosting account?[/color]

As far as I know... not really.

You could probably set up some sort of proxy or arrange in one way shape
or form for each user to have their own private web server, not cheap but
still slightly cheaper than a VPS.

There is also setuid scripts and things, so, one could run php as a CGI
and manage it that way.
[color=blue]
>(b) Is it possible to set up Apache so that virtual sites are protected from
>one and other?[/color]

I wouldn't be surprised to find out someone some place has figured out how to
get Apache (or other web server) to spawn a new child each time a request for a
given virtual host is recieved. (Perhaps with a cleanup measure) As far as I
know, there aren't any.

In theory, I should think it's possible. Still not "cheap" in terms of
server resources though. Forking a server on each request is not ideal,
but not quite as bad as CGI might be. (with the copy on write features
of fork)

Still not absolutely secure, since people can (and will) do chmod 777
on stuff.

Best solution I've seen to date is a virtual private server (VPS) You share a
physical machine, but you get your own virtual linux box. Kind of like
running several linux kernels concurrently on a machine. It's not as cheap as
shared, but it's certainly cheaper than a dedicated machine.

Couldn't do these kinds of things for $3.95/month, but $20.00/month buys
you a VPS. Not terrible considering 5-6 years ago, it was $25.00/month for
a 1/2 decent *shared* server with a fraction of the disk space and no access
to your config files or cron.

A VPS still isn't absolutely secure if your ISP has physical access
to the machine.

Jamie
--
http://www.geniegate.com Custom web programming
guhzo_42@lnubb. pbz (rot13) User Management Solutions

Re: Secured hosting on a shared server--impossible?

Chung Leong wrote:
[color=blue]
>
> Those of us who know better know, of course, that that's not the case.[/color]

Not by default. But it is possible to isolate each virtual host using
openbasedir/safe_mode/safe_mode_execd ir.

C.

Re: Secured hosting on a shared server--impossible?

Chung Leong wrote:[color=blue]
>
> My questions are thus
>
> (a) Is it possible to host a PHP site securely using a typical (read
> "cheap") web hosting account?[/color]

No.
[color=blue]
> (b) Is it possible to set up Apache so that virtual sites are
> protected from one and other?[/color]

I'm running several webservers with Apache/PHP, and I'm pretty happy
with my setup. After struggling for months with suexec, I switched to
the suPHP module (which acts as a wrapper, running php scripts as the
user who owns the script)

(using Debian GNU/Linux)

Put the websites somewhere and make them readable by the owner and by
Apache, e.g.

drwxr-x--- site1:www-data /srv/www/www.site1.com
drwxr-x--- site2:www-data /srv/www/www.site2.com

Inside put a htdocs-like directory, that's the docroot, and some other
stuff, only readable by the user, for classes, includes, secret
passwords etc... that won't be readable even in case Apache gets
compromised, e.g.

drwxr-xr-x site1:site1 /srv/www/www.site1.com/htdocs
drwx------ site1:site1 /srv/www/www.site1.com/secretlib

suPHP uses the CGI php binary. A great advance is that it's possible to
specify a php.ini per-vhost, like:

<VirtualHost 1.2.3.4:80>
ServerName www.example.com
DocumentRoot /srv/www/www.example.com/htdocs
AddHandler x-httpd-php .php
suPHP_Engine on
suPHP_ConfigPat h /etc/php4/vhosts/example
</VirtualHost>

So... setttings things like include_path can be done for everyone to
point e.g. to their own ..../secretlib directory.

Be sure to switch Engine = off in the php.ini for mod_php and enable it
only when you want it (phpMyAdmin, squirrelmail etc):

<VirtualHost 1.2.3.4:8443>
Blah...

# PHP with mod_php.
php_admin_flag engine on

Alias /webmail /usr/share/squirrelmail
</VirtualHost>

When you need a mod_php-like virtualhost with https and a secure vhost
for you own scripts with https, just run them on different ports (like
suphp on 443 and mod_php on 8443 and there won't be no complaints about
the server name in the SSL certificate.

Because Apache suexec is still disabled, it's also possible to run
things like mailman etc... CGI for users can be done with cgiwrap.

Have fun!
Hans van Kranenburg

P.S. (Any comments on this setup?)

--
"He who asks a question is a fool for five minutes;
he who does not ask a question remains a fool forever"

Re: Secured hosting on a shared server--impossible?

<nospam@geniega te.com> wrote in message
news:Lucy111095 920096430xa7e33 c@client.tunest ar.net...[color=blue]
>
> Couldn't do these kinds of things for $3.95/month, but $20.00/month buys
> you a VPS. Not terrible considering 5-6 years ago, it was $25.00/month for
> a 1/2 decent *shared* server with a fraction of the disk space and no[/color]
access[color=blue]
> to your config files or cron.
>
> A VPS still isn't absolutely secure if your ISP has physical access
> to the machine.[/color]

Hmmm...I didn't know prices for VPS has dropped to such level. For my
private hobby site I'm still paying $25 a month for shared hosting. Yup, it
was set up some five, six years ago :-(

Re: Secured hosting on a shared server--impossible?

"Colin McKinnon" <colin.deleteth is@andthis.mms3 .com> wrote in message
news:d18sut$rjg $1$830fa79d@new s.demon.co.uk.. .[color=blue]
> Chung Leong wrote:
>[color=green]
> >
> > Those of us who know better know, of course, that that's not the case.[/color]
>
> Not by default. But it is possible to isolate each virtual host using
> openbasedir/safe_mode/safe_mode_execd ir.
>
> C.[/color]

But AFAIK, most ISPs don't set up separate session path per virtual host. So
it's possible to create a session file through one site and use it in
another.

Re: Secured hosting on a shared server--impossible?

On Wed, 16 Mar 2005 19:51:05 -0500, "Chung Leong"
<chernyshevsky@ hotmail.com> wrote:
[color=blue]
>"Colin McKinnon" <colin.deleteth is@andthis.mms3 .com> wrote in message
>news:d18sut$rj g$1$830fa79d@ne ws.demon.co.uk. ..[color=green]
>> Chung Leong wrote:
>>[color=darkred]
>> >
>> > Those of us who know better know, of course, that that's not the case.[/color]
>>
>> Not by default. But it is possible to isolate each virtual host using
>> openbasedir/safe_mode/safe_mode_execd ir.
>>
>> C.[/color]
>
>But AFAIK, most ISPs don't set up separate session path per virtual host.[/color]

Did you do a survey? How did you determine that the word most is the
best word to use in this case?

[color=blue]
>So it's possible to create a session file through one site and use it in
>another.[/color]

Maybe at _SOME_ ISP's. Certainly not most. Certainly not ours.

--
gburnore@databa six dot com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
DataBasix | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ 3 4 1 4 2 ݳ޳ 6 9 0 6 9 ÝÛ³
Black Helicopter Repair Svcs Division | Official Proof of Purchase
=============== =============== =============== =============== ===============
Want one? GET one! http://signup.databasix.com
=============== =============== =============== =============== ===============

Re: Secured hosting on a shared server--impossible?

.oO(Chung Leong)
[color=blue]
>(b) Is it possible to set up Apache so that virtual sites are protected from
>one and other?[/color]

Yep. There are several ways for doing it. On one of my hosts for example
everything runs in a Jailshell and every CGI process runs with the name/
group of his owner. Of course this means that PHP has to run as CGI as
well, but that's not really a problem. And finally it doesn't require
the ugly safe_mode.

With this setup reading other people's directories is only possible if
you know the directory name and the permissions are set to at least o+r
(public readable).

Micha

Re: Secured hosting on a shared server--impossible?

Hans van Kranenburg <user@example.n et> writes:
[color=blue]
> I'm running several webservers with Apache/PHP, and I'm pretty happy
> with my setup. After struggling for months with suexec, I switched to
> the suPHP module (which acts as a wrapper, running php scripts as the
> user who owns the script)
>
>
> (using Debian GNU/Linux)
>
> Put the websites somewhere and make them readable by the owner and by
> Apache, e.g.
>
>
> drwxr-x--- site1:www-data /srv/www/www.site1.com
> drwxr-x--- site2:www-data /srv/www/www.site2.com
>
> Inside put a htdocs-like directory, that's the docroot, and some other
> stuff, only readable by the user, for classes, includes, secret
> passwords etc... that won't be readable even in case Apache gets
> compromised, e.g.
>
>
> drwxr-xr-x site1:site1 /srv/www/www.site1.com/htdocs
> drwx------ site1:site1 /srv/www/www.site1.com/secretlib
>
> suPHP uses the CGI php binary. A great advance is that it's possible
> to specify a php.ini per-vhost, like:
>
>
> <VirtualHost 1.2.3.4:80>
> ServerName www.example.com
> DocumentRoot /srv/www/www.example.com/htdocs
> AddHandler x-httpd-php .php
> suPHP_Engine on
> suPHP_ConfigPat h /etc/php4/vhosts/example
> </VirtualHost>
>
> So... setttings things like include_path can be done for everyone to
> point e.g. to their own ..../secretlib directory.
>
>
> Be sure to switch Engine = off in the php.ini for mod_php and enable
> it only when you want it (phpMyAdmin, squirrelmail etc):
>
>
> <VirtualHost 1.2.3.4:8443>
> Blah...
>
> # PHP with mod_php.
> php_admin_flag engine on
>
> Alias /webmail /usr/share/squirrelmail
> </VirtualHost>
>
> When you need a mod_php-like virtualhost with https and a secure vhost
> for you own scripts with https, just run them on different ports (like
> suphp on 443 and mod_php on 8443 and there won't be no complaints
> about the server name in the SSL certificate.
>
>
> Because Apache suexec is still disabled, it's also possible to run
> things like mailman etc... CGI for users can be done with cgiwrap.[/color]


Okay, so even though the suPHP is a 'module' -- you are still
basically execing another process to handle every PHP page and action?
Just want to make sure on that. The big reason we like PHP is for
busy sites and we don't want the overhead of starting another process
for each request.

About security, we normally tell folks if you want to hide
it with PHP, then put it in a MySQL database which we can lock up tight.
A lot of folks have packages which want to upload files or create files,
that can be a real problem

--
John
_______________ _______________ _______________ _______________ _______
John Murtari Software Workshop Inc.
jmurtari@follow ing domain 315.635-1968(x-211) "TheBook.Co m" (TM)

Re: Secured hosting on a shared server--impossible?

John Murtari wrote:[color=blue]
> Hans van Kranenburg <user@example.n et> writes:
>[color=green]
>> I'm running several webservers with Apache/PHP, and I'm pretty
>> happy with my setup. After struggling for months with suexec, I
>> switched to the suPHP module (which acts as a wrapper, running php
>> scripts as the user who owns the script)[/color]
>
> Okay, so even though the suPHP is a 'module' -- you are still
> basically execing another process to handle every PHP page and
> action?[/color]
Yes. :(
[color=blue]
> Just want to make sure on that. The big reason we like PHP is for
> busy sites and we don't want the overhead of starting another process
> for each request.[/color]
That's true.
[color=blue]
> About security, we normally tell folks if you want to hide it with
> PHP, then put it in a MySQL database which we can lock up tight. A
> lot of folks have packages which want to upload files or create
> files, that can be a real problem[/color]
You still have to hide the MySQL password, but that can be done.

After all it's a trade-off. I like the extra possibilities, the security
at filesystem-user-level instead of relying on safe_mode and
open_basedir (although they're still being used) and take the
performance-drop for granted. In my situation that's possible because
the php-stuff is not the bottleneck on this server.

Hans

--
"He who asks a question is a fool for five minutes;
he who does not ask a question remains a fool forever"

Re: Secured hosting on a shared server--impossible?

In article <423c3218$0$142 $e4fe514c@news. xs4all.nl>,
Hans van Kranenburg <user@example.n et> wrote:
[color=blue]
> John Murtari wrote:[color=green]
> > Hans van Kranenburg <user@example.n et> writes:
> >[color=darkred]
> >> I'm running several webservers with Apache/PHP, and I'm pretty
> >> happy with my setup. After struggling for months with suexec, I
> >> switched to the suPHP module (which acts as a wrapper, running php
> >> scripts as the user who owns the script)[/color]
> >
> > Okay, so even though the suPHP is a 'module' -- you are still
> > basically execing another process to handle every PHP page and
> > action?[/color]
> Yes. :(
>[color=green]
> > Just want to make sure on that. The big reason we like PHP is for
> > busy sites and we don't want the overhead of starting another process
> > for each request.[/color]
> That's true.
>[color=green]
> > About security, we normally tell folks if you want to hide it with
> > PHP, then put it in a MySQL database which we can lock up tight. A
> > lot of folks have packages which want to upload files or create
> > files, that can be a real problem[/color]
> You still have to hide the MySQL password, but that can be done.
>
> After all it's a trade-off. I like the extra possibilities, the security
> at filesystem-user-level instead of relying on safe_mode and
> open_basedir (although they're still being used) and take the
> performance-drop for granted. In my situation that's possible because
> the php-stuff is not the bottleneck on this server.
>
> Hans[/color]

http://shiflett.org/articles/security-corner-mar2004 talks about sweet
little hack you might be able to get your sysadmin to implement. I
created a local apache "include" file in my home directory that's owned
by me and with permissions 600 so only I can access it. That file
creates Apache variables with the SetEnv directive for the MySQL user
and password. Another account on the machine doesn't 'see' these
variables, so they aren't global. Since the apache startup runs as
root, it can read the protected file.

--
DeeDee, don't press that button! DeeDee! NO! Dee...