| Author |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
 Posted: Tue 14 Apr '15 3:02 Post subject: PHP Locking down directories on Windows |
 |
|
So this is a unique question what falls into the ball park of php execution of files.
In my PHP.ini file it contains the following.
| Code: | [PATH=s:/webroot/domain.nl]
open_basedir = s:/webroot/domain.nl
doc_root = s:/webroot/domain.nl
error_reporting = E_ALL & ~E_NOTICE
error_log = s:/logging/php/domain.nl.errors.log
upload_tmp_dir = s:/webroot/domain.nl/uploads
session.save_path = s:/webroot/domain.nl/sessions |
So with open_basedir and doc_root i have told php not to execute scripts outside of those directories and not to get files outside of those directories.
But i can still execute ffmpeg.exe even though i have not listed the file path for ffmpeg in the php.ini is that normal how can i tell php not to do this because to me that seems as a insecurity.
Before anyone talks about disabling the exec function i need to be able to execute ffmpeg.exe for video conversions but i want php to only execute ffmpeg not files people could upload for example.
Is there a way i can whitelist specific directories for execution of files on the server.
Example :
| Code: | | C:/server/ffmpeg/ffmpeg.exe |
And to only allow execution of the ffmpeg.exe ?
From my understanding right now there would be nothing stopping a user from uploading a file to their site and then uploading a ".exe" file and executing it on the server with a php script. (Hacking)
I think what i am after is "include_path" what currently is default but i am not sure either way i will wait for a response. |
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Tue 14 Apr '15 13:03 Post subject: |
|
|
| Not directly, you can add a group with exec rights only to one folder, or even to one file, thats how we do it here. See user/group management and associate them with NTFS rights. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Tue 14 Apr '15 15:07 Post subject: |
|
|
| Yeah i figured that something like that was going to be the outcome i take it on linux they do the same. |
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Tue 14 Apr '15 16:48 Post subject: |
|
|
More or less yes, the OS choice makes no difference in how you lock down stuff, just have a hackers hat on when doing hackable things.
It reminds me of a very old hackers mind set, in a classroom security student were asked to switch off the lights but they were not allowed to use the light switch.... needless to say the right answer was to use the light switch  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Tue 14 Apr '15 16:57 Post subject: |
|
|
| Where doing that already for some time with our Install_nginx_php_services.zip which could be used for other purposes. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Tue 14 Apr '15 17:52 Post subject: |
|
|
| Makes sense but atleast the security is there does that go for scripts too such as .vbs, .cmd, .bat etc ? Does it mean that those can not be executed unless whitelisted. |
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Tue 14 Apr '15 18:57 Post subject: |
|
|
| C0nw0nk wrote: | | Makes sense but atleast the security is there does that go for scripts too such as .vbs, .cmd, .bat etc ? Does it mean that those can not be executed unless whitelisted. |
Depends how you deny/grant access and to which service user, scripts are run by interpreters like cmd.exe cscript.exe etc...
It takes a bit of work, create a group which has no exec access anywhere, then assign exec rights where needed. This is also valid for file creation in temp folders and anywhere else. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Wed 15 Apr '15 1:47 Post subject: |
|
|
Thanks ng4win i do not do public shared hosting but i do have allot of my own sites on multiple machines and to prevent them being compromised in the event one does encounter a security flaw id rather have them all secured and lock them down with this method.
Are there any other security methods i should look into or take onboard ?
snce my sites only require access to imagick's convert.exe and ffmpeg's ffmpeg.exe process they do not need to be executing anything else. |
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Wed 15 Apr '15 11:25 Post subject: |
|
|
| C0nw0nk wrote: | Are there any other security methods i should look into or take onboard ?
|
Only hardening following CIS for your OS.
Despite NSA's bad rep. they do have very good CIS hardening guides. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 15 Apr '15 15:30 Post subject: |
|
|
| C0nw0nk wrote: | | Makes sense but atleast the security is there does that go for scripts too such as .vbs, .cmd, .bat etc ? Does it mean that those can not be executed unless whitelisted. |
With that link that I posted even .vbs and other stuff can't be executed from the server. Yes it is a white listing. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 16 Apr '15 17:08 Post subject: |
|
|
I prefer to use apache over nginx  |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Thu 16 Apr '15 20:47 Post subject: |
|
|
I did use Apache and it was good but the issue with apache for me in a high traffic multi media enviorment was pseudo streaming no maintained modules for it on windows etc you would need seperate modules for FLV then MP4.
And apache used allot of CPU/Ram since i switched to nginx all that is built into it, My cpu is always 1% or 0% and ram usage onit never goes higher than 15,000K and if that was not good enough it also fixes the C10K port connection limit what i am pretty sure apache has not done yet and apache users still have a concurrent connection limit. |
|
| Back to top |
|
this lets not just myself, but others know how to properly secure their applications and combined with the scripts NG4WIN made to lock users down.