Topic: PHP service account

[Johannes]

Up until recently my Apache/PHP configuration has been secure enough by running PHP with the php5_module and Apache under a service account with user privileges (thus not allowing administration rights or self configuration changes). However now I need to allow Apache read access of a file (ssl key) but not PHP (to ensure the key can't be exposed). I would therefore like to give PHP its own service account, however this does not seem possible when running PHP as a module. It looks like an option may be to run PHP as a CGI, say FastCGI. But it doesn't look like FastCGI is as stable as it would need to be. I have thought about running PHP as a standard cgi-bin but this doesn't seem like fast/optimal solution.

Are there any other ways of securing my file from PHP? (Service account or other methods)

At the moment I have "secured" (probably just obscured) my file by using disable_functions and open_basedir, but this isn't the right way of doing it.

I have heard php-fpm is nice, is this suitable?

(Server 2008 r2, Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e, PHP 5.3.8 )

Thanks for any tips/ideas!

[James Blond]

There are a lot of options in php.ini to limit PHPs resources. Such as open basedir, disable functions, disable classes, expose php

In the manual there is lot of stuff to read about this:
http://www.php.net/manual/en/security.php

[Kanashii]

In my case:

i try to jailbreak Php-cgi but no effect

So i just harding my OS:

In GPO you can restrict to execute application in specify path, but you need check without admin.
Add privileges to: cmd.exe telnet.exe etc etc to only administrator to run

in php.ini disable functions:

disable_functions = proc_open, proc_close, system, dl, passthru, readfile, shell_exec, popen, escapeshellcmd, getmyuid, pcntl_exec, chown,symlink,get_current_user,getmyuid,dl,ftp_connect

_________

PHP run on Apache account - but apache has no permissions to write to .php files !important

So:
Somebody had acces to your server:
Can't run application cant write to files

Separate eq mysql to another accountant bee cheerful with Sql injection

[Johannes]

James Blond, Kanashii thanks for your responses. I added pcntl_exec to my disable_functions configuration. Kanashii I noticed you don't have the regular exec function in your disable_functions, maybe you should add that?

It is an interesting idea to set a policy to further limit the rights which the account has.

Locking down PHP like this is a good start, but I would still like to run PHP in its own account. Are there any other CGI alternatives, or other ways to run PHP in its own account? Is there any news about the stability of FastCGI?

Thanks,

//Johannes

[Kanashii]

exe heay i know i use in one project exec and phpinfo
____

Problem is that on Windows there is no solution right now

Runas.exe /user:pihejdzpi php-cgi.exe

but you need type password

so meybe try

php.bat

@echo off
echo your_password | runas.exe /user:pihejdzpi php-cgi.exe

somthing like on Unix

====== php-wrapper ======
#!/bin/sh
PHP_FCGI_CHILDREN=3
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=2000
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php-fcgi
====== END php-wrapper ======

but http need access to http.conf so sombody can see you php password

Solution:
Create application that has fcgid class etc and then run this application



________


Now when i had access to apache account from shell i can't read files on c: when is my os cant run application.
Only on dir "bin" where i had apache,php i had permissions to run