Hi Guys, I found a shell (c99) on one of our servers recently and thought i'd have a bit of a poke around with it before deleting it this time. All our sites run with suphp on this server. This file was uploaded via FTP so it's not the suphp's fault; however I was quite alarmed to see that I can browse most of the file system of the server from this shell (eg I can view /etc/passwd) however if I change the site to use mod_php, then I can't browse to these directories. I thought the point in suphp was that it wouldn't allow any files to be opened not owned by the webx/clientx user/group. Is this a config error on this server or have I misunderstood something? Examples available if you'd like to see. Cheers.
The purpose of suphp is to run a script under a different user. If a file can be opened by this user or not is defined by the linux file permissions and ownership of that file. For example /etc/passwd is a file that is world readable on all linux systems, so you can read it as any user. So its not suphp's fault that you can open it. The file that contains the sensitive data (passwords) is /etc/shadow and not /etc/passwd and the /etc/shadow file can not be opened. mod_php is not as secure as suphp or php-fcgi + suexec as mod_php runs the scripts as aopche / www-data user which allsows a attacker to access all files of all other sites even if they are set chmod 600. php-fcgi + suexec is the recommended setting as it runs scripts as web user but is much faster then suphp. That you cant open some files with mod_php indicates that you might have disabled functions wth php_admin value or similar or that you disabled functions in the php.ini for mod_php but not in the one used by suphp or php-fcgi.
Ok that's great - thank you Till. That give me something to look into. Appreciated very much as usual. Cheers!
