Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: PHP service account |
|
Author |
|
Johannes
Joined: 25 Sep 2011 Posts: 3
|
Posted: Sun 25 Sep '11 17:02 Post subject: PHP service account |
|
|
Up until recently my Apache/PHP configuration has been secure enough by running PHP with the php5_module and Apache under a service account with user privileges (thus not allowing administration rights or self configuration changes). However now I need to allow Apache read access of a file (ssl key) but not PHP (to ensure the key can't be exposed). I would therefore like to give PHP its own service account, however this does not seem possible when running PHP as a module. It looks like an option may be to run PHP as a CGI, say FastCGI. But it doesn't look like FastCGI is as stable as it would need to be. I have thought about running PHP as a standard cgi-bin but this doesn't seem like fast/optimal solution.
Are there any other ways of securing my file from PHP? (Service account or other methods)
At the moment I have "secured" (probably just obscured) my file by using disable_functions and open_basedir, but this isn't the right way of doing it.
I have heard php-fpm is nice, is this suitable?
(Server 2008 r2, Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e, PHP 5.3.8 )
Thanks for any tips/ideas! |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7377 Location: Germany, Next to Hamburg
|
Posted: Sun 25 Sep '11 21:48 Post subject: |
|
|
There are a lot of options in php.ini to limit PHPs resources. Such as open basedir, disable functions, disable classes, expose php
In the manual there is lot of stuff to read about this:
http://www.php.net/manual/en/security.php |
|
Back to top |
|
Kanashii
Joined: 17 Jul 2006 Posts: 155 Location: Porando
|
Posted: Tue 27 Sep '11 19:11 Post subject: |
|
|
In my case:
i try to jailbreak Php-cgi but no effect
So i just harding my OS:
In GPO you can restrict to execute application in specify path, but you need check without admin.
Add privileges to: cmd.exe telnet.exe etc etc to only administrator to run
in php.ini disable functions:
disable_functions = proc_open, proc_close, system, dl, passthru, readfile, shell_exec, popen, escapeshellcmd, getmyuid, pcntl_exec, chown,symlink,get_current_user,getmyuid,dl,ftp_connect
_________
PHP run on Apache account - but apache has no permissions to write to .php files !important
So:
Somebody had acces to your server:
Can't run application cant write to files
Separate eq mysql to another accountant bee cheerful with Sql injection |
|
Back to top |
|
Johannes
Joined: 25 Sep 2011 Posts: 3
|
Posted: Sun 02 Oct '11 12:08 Post subject: |
|
|
James Blond, Kanashii thanks for your responses. I added pcntl_exec to my disable_functions configuration. Kanashii I noticed you don't have the regular exec function in your disable_functions, maybe you should add that?
It is an interesting idea to set a policy to further limit the rights which the account has.
Locking down PHP like this is a good start, but I would still like to run PHP in its own account. Are there any other CGI alternatives, or other ways to run PHP in its own account? Is there any news about the stability of FastCGI?
Thanks,
//Johannes |
|
Back to top |
|
Kanashii
Joined: 17 Jul 2006 Posts: 155 Location: Porando
|
Posted: Sun 02 Oct '11 18:41 Post subject: |
|
|
exe heay i know i use in one project exec and phpinfo
____
Problem is that on Windows there is no solution right now
Runas.exe /user:pihejdzpi php-cgi.exe
but you need type password
so meybe try
php.bat
@echo off
echo your_password | runas.exe /user:pihejdzpi php-cgi.exe
somthing like on Unix
====== php-wrapper ======
#!/bin/sh
PHP_FCGI_CHILDREN=3
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=2000
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php-fcgi
====== END php-wrapper ======
but http need access to http.conf so sombody can see you php password
Solution:
Create application that has fcgid class etc and then run this application
________
Now when i had access to apache account from shell i can't read files on c: when is my os cant run application.
Only on dir "bin" where i had apache,php i had permissions to run |
|
Back to top |
|
|
|
|
|
|