Shell code

Hi!

I recently got a shell code on my Lighttpd web server that uses many virtaul hosts.

The php shell code was on one of these virtual hosts, but it had access on all other virtaul hosts and linux files.

How could I disallow access out of the folder (like in FTP, you can't see previous directories)?

While your description isn't particular clear, I think you need to setup and configure a chroot jail. Google it, its not a straight forward task.

I found that safe-mode makes things like I like with the directory lock.

But safe-mode makes some of the functions not to work.

Is there a specific option for this way of security?

Still, your description leads something to be desired. Maybe your looking for the open_basedir directive?

Again, if you better described your problem we could likely offer more help.

Well, the problem is that a PHP shell can get to the actual root of the system which also includes access to all other virtual hosts on this web server.

I need to disallow access from one virtual host to another. Safe-mode does this, but that makes problems to available intergrated PHP functions.

Can I use open_basedir with virtual hosts? I got this setting wrong and as a result I had a 404 error everywhere.

Maybe .htaccess in the root of virtual host could do the trick?

You could use something like....

<Directory "/var/www/vhostname">
  php_value open_basedir "/var/www/vhostname"
</Directory>

within your virtual host configuration.

This is lighttpd

Ok, but I ran in to a problem anyway, the virtual host syntax differs.

This is how it looks it lighttpd:

$HTTP["host"] == "x" {
server.document-root = "/var/www/x/htdocs"
server.errorlog = "/var/log/lighttpd/x/error.log"
accesslog.filename = "/var/log/lighttpd/x/access.log"
server.error-handler-404 = "/error.php"
}

Also, .htaccess with:

php_value open_basedir "/var/www/music.ngames.lv/htdocs"

doesn't work, the shell still has access out of the virtual host.

This is lighttpd

Sorry, Ive not used it.

Also, .htaccess with:

Code: [select]

php_value open_basedir "/var/www/music.ngames.lv/htdocs"

doesn't work, the shell still has access out of the virtual host.

That is becasue it is not valid within a .htaccess file.

Honestly,

  If you are using PHP on a server, I suggest using suPHP / suExec.  And if you want to go really paranoid about it, use it under a chroot jail as mentioned.

suPHP Information:

www.suphp.org/

http://www.markgrenham.com/articles/howto_lighttpd_and_suphp

http://www.itc.virginia.edu/server/web/php/suphp.html

http://howtoforge.com/install-suphp-on-various-linux-distributions-for-use-with-ispconfig-2.2.20-and-above

Chroot Information:

What is a Chroot?

http://www.rootprompt.org/article.php3?article=10883

http://www.cyberciti.biz/tips/ultimate-lighttpd-webserver-security.html

If you are anything like me, when researching how to do something, no single how-to or About is going to suffice.  Thats why I am just linking to several different sites.

Essentially, suPHP forces php to run as a particular user and ONLY that user (this can be done per-vhost so ONLY the user owning that vhost can access the php files for that site). 

Added protection would be implementing a chroot jail. Implementing a chroot jail for your web server will isolate the service to a particular location on the filesystem.  The service may be able to access files below its spot on the file system but will typically not be able to get above its location.  (ex. if you hate lighttpd chrooted to /vhosts/mydomain.tld, it will be able to access /vhosts/mydomain.tld/www-data/images but it will not be able to access /vhosts/myotherdomain.tld).