Article 13665 at 08/08/01 02:51:52 From: kenmarcus (at mark) precisionweb.net Subject: [coba-e:13665] Re: apache suexec

Index: [Article Count Order] [Thread]
Date:  Thu, 31 Jul 2008 10:51:32 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:13665] Re: apache suexec
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <094901c8f336$1326c2b0$6601a8c0@OfficeKen>
References:  <200807311736.m6VHaC00016648 (at mark) ana.xnet.com.mx>
X-Mail-Count: 13665


> -----Original Message-----
> From: thomas [mailto:tfj-online (at mark) mail.tele.dk]
> Sent: Jueves, 31 de Julio de 2008 07:04
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:13659] Re: apache suexec
>
>
> From: "Chris Gebhardt"
>> Hi Thomas
>> Reminder to always "inline post".   Don't reply on top.  Your reply
>> should always be BENEATH what you are replying to.
>>
>> This is an issue that we have observed occasionally with dynamically
>> created content from a CMS such as Joomla or Wordpress or the like.
>> Then a user wants to make changes via FTP and that winds up requiring
>> a support ticket so that our techs can run a quick chown -R for them.
>
>
> Yes, we do that alot, but we would rather like to fix the problem.
>
> I can se that suexec seems to be compiled with a wrong document root
>
> # suexec -V
> -D AP_DOC_ROOT="/var/www" <<<<< should have been /home/.sites or /home
> -D AP_GID_MIN=100
> -D AP_HTTPD_USER="apache"
> -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
> -D AP_UID_MIN=500
> -D AP_USERDIR_SUFFIX="public_html"
>
> # httpd -V
> Server version: Apache/2.0.52
> Server built:   May  4 2007 06:25:03
> Server's Module Magic Number: 20020903:9
> Architecture:   32-bit
> Server compiled with....
> -D APACHE_MPM_DIR="server/mpm/prefork"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_SYSVSEM_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D HTTPD_ROOT="/etc/httpd"
> -D SUEXEC_BIN="/usr/sbin/suexec"
> -D DEFAULT_PIDLOG="logs/httpd.pid"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_LOCKFILE="logs/accept.lock"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
>
> from errorlog i get this
>
> [error] [client ] Premature end of script headers: index.php
>
> from /var/log/httpd/suexe_log I get this
>
> uid: (502/someadminuser) gid: (500/500) cmd: index.php
> command not in docroot (/home/.sites/28/site1/web/index.php)
>
> Is it possible to change all that!
>
> --
> Thomas Jensen
>


----- Original Message ----- 
From: "Rodrigo Ordonez Licona" <rodrigo (at mark) xnet.com.mx>
To: <coba-e (at mark) bluequartz.org>
Sent: Thursday, July 31, 2008 9:46 AM
Subject: [coba-e:13663] Re: apache suexec


> We recently received an attack through a joomla site, somehow the user
> uploaded a php script (which ended being owned by apache)
>
> ..., and was able to place apache owned documents all aver the server,
> (affected awstats specifically) files were deleted by awstats next day...
>
> but freaked out more than one customer.
>
> So this is a security concern, whoever is able to upload files should only
> be able to affect that vsite..
>
> My 2 cents
>
> Rodrigo O


Rodrigo

You might try setting the php_admin_value  open_basedir   for each of your 
sites

E.g.
php_admin_value open_basedir 
/var/lib/php/session:/home/.sites/$preview:/home/sites/$filename:/home/tmp:/tmp:/usr/bin/pear:/usr/share/pear


The script I use for that  is:

#!/usr/bin/perl
##################################################################
#changes the openbase dir from  /home to their site only.

$tempfile = "/home/sites/home/web/tempfile.txt";
if (-e "$tempfile") { system ("rm $tempfile"); }
#cancel.choicesalmon.com

#/var/lib/php/session:/home/.sites/$preview:/home/tmp:/tmp:/usr/bin/pear:/usr/share/pear


@locatearray=`ls -1 /home/sites`;
&doit();

sub doit {
 foreach $filename (@locatearray) {
           chomp ($filename);
     if ( ($filename eq "index.html" ) or ($filename eq "home" )  or 
($filename =~ /secure-access/ ) )
          { print "is home or index";}
           else {
          $ls=`ls -la /home/sites/ | grep $filename`;

          print "The ls is $ls";

         ($prev0, $prev1, $prev2, $prev3, $prev4, $prev5) = split(/\//,$ls);
          chomp ($prev3);
          $preview = "$prev2/$prev3";
          print "Preview is $preview\n\n";
          $sitenumber = $prev3;

          $conffile = "/etc/httpd/conf/vhosts/"."$sitenumber".".include";
          print "The conf file is $conffile\n";
          $backupfile = $conffile.".old";
          open (FIL,"$conffile") or die "Can't Open $conffile\n";
          open (FIL2,">$tempfile") or die "Can't Open $tempfile\n";
          while (<FIL>)          {
              $thisline = $_;

              if ( ($thisline =~ /php_admin_value/) and ($_ =~ 
/open_basedir/) )  {
                print FIL2 "#"."$thisline";
              } else {
                print FIL2 "$thisline";
              }
          }
          close (FIL);

         print "Preview is $preview\n\n";


          print FIL2 "php_admin_value open_basedir 
/var/lib/php/session:/home/.sites/$preview:/home/sites/$filename:/home/tmp:/tmp:/usr/bin/pear:/usr/share/pear\n";
          close (FIL2);
          system ("cp $conffile $backupfile");
          system ("cp $tempfile $conffile ");
          system ("rm $tempfile");

         print "I fixed: $tempfile \n";
         print "I fixed: $filename  \n";
         print "\nIf this looks right, then hit enter to do the next one. 
\n";
         $nothing = <STDIN>;
     }
  }
}

exit;