logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: PHP service account
Author
Johannes



Joined: 25 Sep 2011
Posts: 3

PostPosted: Sun 25 Sep '11 17:02    Post subject: PHP service account Reply with quote

Up until recently my Apache/PHP configuration has been secure enough by running PHP with the php5_module and Apache under a service account with user privileges (thus not allowing administration rights or self configuration changes). However now I need to allow Apache read access of a file (ssl key) but not PHP (to ensure the key can't be exposed). I would therefore like to give PHP its own service account, however this does not seem possible when running PHP as a module. It looks like an option may be to run PHP as a CGI, say FastCGI. But it doesn't look like FastCGI is as stable as it would need to be. I have thought about running PHP as a standard cgi-bin but this doesn't seem like fast/optimal solution.

Are there any other ways of securing my file from PHP? (Service account or other methods)

At the moment I have "secured" (probably just obscured) my file by using disable_functions and open_basedir, but this isn't the right way of doing it.

I have heard php-fpm is nice, is this suitable?

(Server 2008 r2, Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e, PHP 5.3.8 )

Thanks for any tips/ideas!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Sun 25 Sep '11 21:48    Post subject: Reply with quote

There are a lot of options in php.ini to limit PHPs resources. Such as open basedir, disable functions, disable classes, expose php

In the manual there is lot of stuff to read about this:
http://www.php.net/manual/en/security.php
Back to top
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando

PostPosted: Tue 27 Sep '11 19:11    Post subject: Reply with quote

In my case:

i try to jailbreak Php-cgi but no effect

So i just harding my OS:

In GPO you can restrict to execute application in specify path, but you need check without admin.
Add privileges to: cmd.exe telnet.exe etc etc to only administrator to run

in php.ini disable functions:

disable_functions = proc_open, proc_close, system, dl, passthru, readfile, shell_exec, popen, escapeshellcmd, getmyuid, pcntl_exec, chown,symlink,get_current_user,getmyuid,dl,ftp_connect

_________

PHP run on Apache account - but apache has no permissions to write to .php files !important

So:
Somebody had acces to your server:
Can't run application cant write to files

Separate eq mysql to another accountant bee cheerful with Sql injection
Back to top
Johannes



Joined: 25 Sep 2011
Posts: 3

PostPosted: Sun 02 Oct '11 12:08    Post subject: Reply with quote

James Blond, Kanashii thanks for your responses. I added pcntl_exec to my disable_functions configuration. Kanashii I noticed you don't have the regular exec function in your disable_functions, maybe you should add that?

It is an interesting idea to set a policy to further limit the rights which the account has.

Locking down PHP like this is a good start, but I would still like to run PHP in its own account. Are there any other CGI alternatives, or other ways to run PHP in its own account? Is there any news about the stability of FastCGI?

Thanks,

//Johannes
Back to top
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando

PostPosted: Sun 02 Oct '11 18:41    Post subject: Reply with quote

exe heay i know i use in one project exec Razz and phpinfo Smile
____

Problem is that on Windows there is no solution right now

Runas.exe /user:pihejdzpi php-cgi.exe

but you need type password

so meybe try

php.bat

@echo off
echo your_password | runas.exe /user:pihejdzpi php-cgi.exe

somthing like on Unix

====== php-wrapper ======
#!/bin/sh
PHP_FCGI_CHILDREN=3
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=2000
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php-fcgi
====== END php-wrapper ======

but http need access to http.conf so sombody can see you php password

Solution:
Create application that has fcgid class etc and then run this application



________


Now when i had access to apache account from shell i can't read files on c: when is my os cant run application.
Only on dir "bin" where i had apache,php i had permissions to run
Back to top


Reply to topic   Topic: PHP service account View previous topic :: View next topic
Post new topic   Forum Index -> Other Software