|
Written by Kwok Yao Chim
|
|
Monday, 03 March 2008 02:57 |
Securing Apache and reduce the risk of XSS (cross site scripting) by only allowing execution of PHP scripts with the permissions of their owners.
This was relatively easy to set up, but some pre-requisites are needed before carrying out this experiment.
Pre-requisite packages
httpd
httpd-devel (required to build suphp with apxs)
php
php-cli (needed by suphp to execute php via CGI)
All the above packages was installed using YUM.
Next step was to download the suPHP source so that I can compile and build it with Apache HTTPD.
$ cd /tmp
$ wget http://www.suphp.org/download/suphp-0.6.3.tar.gz (versions may differ from time of publication)
$ tar -xvzf suphp-0.6.3.tar.gz |
I proceeded to edit lines 324 and 325 in file "suphp-0.6.3/src/apache2/mod_suphp.c" (note: line numbers may differ)
The original lines will look something like this:
|
AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
|
The edited lines should now look like this:
|
AP_INIT_ITERATE("suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp to handle these MIME-types"),
AP_INIT_ITERATE("suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, "Tells mod_suphp not to handle these MIME-types"),
|
notice the "RSRC_CONF <pipe>" addition to both lines.
Now we prepare and install suPHP
$ cd suphp-0.6.x/
$ ./ configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=paranoid --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
$ make
$ make install
|
the configuration options are set for CentOS standard/default installs of Apache and PHP.
During the "make" process I encountered and error "g++ not found", this means that libraries to compile suPHP using GCC-C++ are not installed. A simple YUM installation of gcc-c++ resolved this problem. If you encounter errors, read the error messages properly and carefully to understand whats going on.
Now that I have suPHP installed, I can now proceed to fiddle about with configuration files.
The suPHP installation documentation says that you can use the sample suphp configuration which should be placed in "/etc/" directory.
There are a few options I changed, so the edited "/etc/suphp.conf" file now looked like this:
[global]
;Path to logfile
logfile=/var/log/httpd/suphp_log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
;Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
;Minimum UID
min_uid=100
;Minimum GID
min_gid=100
[handlers]
;Handler for php-scripts
x-httpd-php=php:/usr/bin/php-cgi
;Handler for CGI-scripts
x-suphp-cgi=execute:!self
|
SuPHP is in place and ready to run, but some changes to the "httpd.conf" are required to recognise the mod_suphp.
First change is in the "/etc/httpd/conf.d/php.conf", where a line is commented out:
#LoadModule php5_module modules/libphp5.so
|
The above modifications will stop apache from using the standard PHP, instead we must create a new file and tell apache to use the mod_suphp where it will only allow file owners to execute their own script via php-cgi, so a file needs to be created "/etc/httpd/conf.d/suphp.conf", here is what the file should contain:
LoadModule suphp_module modules/mod_suphp.so
suPHP_Engine on
AddHandler x-httpd-php .php
suPHP_AddHandler x-httpd-php
|
The configuration above will affect all vhosts in apache, however individual vhosts can be affected by putting the last three lines in each vhost and changing the options.
Now all the necessary configusrations are done, an apache restart is needed.
|
