How do I get php to run "in the jail"

General technological topics without their own forum go here

How do I get php to run "in the jail"

Post by derpdarp on Thu Oct 16, 2014 6:47 am
([msg=84173]see How do I get php to run "in the jail"[/msg])

Let's say I have a debian server with php and apache installed. I created two jails for two users, foo and bar.

Foo's account gets compromised. 1337Hacker realizes he's in a jail and decides to compromise as many accounts as possible, and get root. He adds in a few malicious lines of code to a php file running on Foo's account, e.g. exec('cat /etc/passwd'). It works. 1337Hacker realizes php is running as www-data. Meaning, he has the same system wide access as 'www-data". Bar's had saved a few mysql and login passwords in a text file in his private directory........ get where I'm going?

This is actually the situation I'm facing except, my system hasn't been compromised. I realized after setting up the jails that my thinking was flawed, but still on the right track. I set up the jails than attempted to use php-fpm to create "php pools" by creating a php config file for each "user" I have hosted, running as the "group" I created for the jails (chrootedwebusers). Except, if I use 'exec('whoami') it still returns the UID of www-data. Meaning, it's not working.

I triple checked, wiped the system to a fresh install and tried again. It's still not working. Anyone able to help?
derpdarp
New User
New User
 
Posts: 9
Joined: Thu Oct 16, 2014 5:45 am
Blog: View Blog (0)


Re: How do I get php to run "in the jail"

Post by Kage on Thu Oct 16, 2014 5:12 pm
([msg=84185]see Re: How do I get php to run "in the jail"[/msg])

Well, first, let's correct some terminology: it's not a jail, it's a chroot. Jail's are pretty much limited to BSD systems, in their commonly-understood sense. A jail would be a whole semi-virtualized OS jail as in FreeBSD, whereas this is just a uid-isolated chroot, effectively.

What you want to accomplish can be done via a few means. First is suPHP, but this requires Apache (bad). You could put nginx in front of Apache, and your problem is solved there. But suPHP is slow.

php-fpm pools are good, but they're tricky. The easiest way I've discovered is to completely isolate each pool: independent socket for each and independent uid/gid for each. Make sure each pool has a uid/gid combo set. Posting configs would help here, too.
~ Kage ~

HackThisSite Manager
User avatar
Kage
Administrator
Administrator
 
Posts: 154
Joined: Sat Apr 12, 2008 11:07 pm
Location: Inside The HTS Servers
Blog: View Blog (0)


Re: How do I get php to run "in the jail"

Post by tremor77 on Thu Oct 16, 2014 8:45 pm
([msg=84187]see Re: How do I get php to run "in the jail"[/msg])

An easy way to handle this is with webmin/virtualmin and can be setup to work with apache or nginx all packed into a tidy web based GUI-ish interface http://www.webmin.com/vdownload.html.

Virtualmin can create your web virtual hosts and manage user permissions within that scope on your server. It operates in 3 php modes but you'd want FCGID or CGI not modphp. I once found a guide for setting up phpfpm with virtualmin but after several days of hacking at it I was never able to get it to work properly. It's also pretty handy for setting up a shit ton of other stuff and configuration of your server especially if its virtual server and you only have console access and you're lazy or crunched for time to admin the l33t way.
User avatar
tremor77
Addict
Addict
 
Posts: 1098
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: How do I get php to run "in the jail"

Post by tgoe on Fri Oct 17, 2014 2:23 am
([msg=84189]see Re: How do I get php to run "in the jail"[/msg])

What is stopping you from using virtualization / real jails? I'd recommend a FreeBSD host. If you have Linuxy stuff, I could walk you thru the Linuxulator and jailing Gentoo/CentOS.

(Easier than it seems.)
User avatar
tgoe
Contributor
Contributor
 
Posts: 718
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: How do I get php to run "in the jail"

Post by derpdarp on Sat Oct 18, 2014 6:55 am
([msg=84221]see Re: How do I get php to run "in the jail"[/msg])

Kage wrote:Well, first, let's correct some terminology: it's not a jail, it's a chroot. Jail's are pretty much limited to BSD systems, in their commonly-understood sense. A jail would be a whole semi-virtualized OS jail as in FreeBSD, whereas this is just a uid-isolated chroot, effectively.

What you want to accomplish can be done via a few means. First is suPHP, but this requires Apache (bad). You could put nginx in front of Apache, and your problem is solved there. But suPHP is slow.

php-fpm pools are good, but they're tricky. The easiest way I've discovered is to completely isolate each pool: independent socket for each and independent uid/gid for each. Make sure each pool has a uid/gid combo set. Posting configs would help here, too.


Thanks I'm shit with terminology/kinda noob to this whole thing. I use FreeBSD for my virtual machine, but the host I use for VPS (which is rather cheap and completely unmanaged) won't install FreeBSD as an OS. I looked into suPHP but it seems that others have stated that it is rather unreliable/insecure?

Second, as an update to the original post, I figured out the chroot. I got php-fpm working with apache. Except when I enabled the php-fpm chroot setting. FastCGI started throwing an error

Code: Select all
[Thu Oct 16 10:46:39 2014] [error] [client myip] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi_bobssite.com" stderr: Primary script unknown
[Thu Oct 16 10:46:39 2014] [debug] mod_deflate.c(700): [client myip] Zlib: Compressed 16 to 24 : URL /php5-fcgi/user.php


I narrowed down the issue to being related to exactly when I enabled PHP-FPM Chroot. It otherwise displayed content fine and ran under the correct user (tested with <?php exec('whoami'); ?>. For some reason the, FastCGIExternalServer setting in my apache virtualhost config file path setting I had was wrong. I tried a bunch of different paths and it never worked out. I tried changing the path from /usr/lib/cgi-bin/php5-fcgi_bobssite.com to /var/jails/bob/bobssite.com/public_html/cgi-bin. That didn't work either, and even messing around with the setting changing it to various paths, I couldn't get it to work. Long story short, after like 10 hours I decided to abandon apache for nginx. More on that in a second.

tremor77 wrote:An easy way to handle this is with webmin/virtualmin and can be setup to work with apache or nginx all packed into a tidy web based GUI-ish interface http://www.webmin.com/vdownload.html.

Virtualmin can create your web virtual hosts and manage user permissions within that scope on your server. It operates in 3 php modes but you'd want FCGID or CGI not modphp. I once found a guide for setting up phpfpm with virtualmin but after several days of hacking at it I was never able to get it to work properly. It's also pretty handy for setting up a shit ton of other stuff and configuration of your server especially if its virtual server and you only have console access and you're lazy or crunched for time to admin the l33t way.


I have looked at virtualadmin or webmin but I'm looking to learn how to do it myself.

tgoe wrote:What is stopping you from using virtualization / real jails? I'd recommend a FreeBSD host. If you have Linuxy stuff, I could walk you thru the Linuxulator and jailing Gentoo/CentOS.

(Easier than it seems.)


I don't want to shell out money for a dedicated server. I am running on a cheap, unmanaged VPS host. They won't install FreeBSD but do offer centos/arch/etc.

Anyway if someone knows of a cheap unmanaged vps (under 20) LMK.

As for my situation as posted above, after 10 hours of attempting to figure this out, I just wiped the VPS, and decided to go with nginx. It appears that (quite possibly) apache + fastcgi + phpfpm don't mix? I haven't quite gotten around to re-attempting the whole php-fpm settings/fastcgi. I'm about to attempt that in a few minutes and I'll set post back if I can't figure it out.

here's my post on serverfault that includes the original config files I had set up

http://serverfault.com/questions/637551/page-displays-file-not-found-when-i-enable-php-fpm-chroot-on-debian-wheezy-apa

-- Mon Oct 20, 2014 11:50 am --

for anyone who happens across this:

Although I ended up switching to nginx, and reconfiguring my directories so they looked like

/var/chroots/users/bob/home/bobssite.com/public_html/index.php

chroot in the php5 fpm file should look like this

chroot = /var/chroots/users/bob/
chdir = /

than in nginx config file

root /home/bobssite.com/public_html;

Code: Select all
location ~ \.php$ {
               fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm_bobssite.com.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_index index.php;
                include /etc/nginx/fastcgi_params;
}



I guess my error when I was using apache was that I was configuring the chroot and the web root to the same values
derpdarp
New User
New User
 
Posts: 9
Joined: Thu Oct 16, 2014 5:45 am
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron