php multiuser system – the www-data problem

On a lot of multi-user systems, like the one at the school where we have 300+ users all with usermod enabled, we also happen to have other web services running. It’s inconvenient and in insecure for everyone to be running their dynamic web stuff as the same user. I understand this is nearly impossible to do with good security, but this is a university and the point of this server is to let students learn, which means being able to host code.

One security problem in particular is php. suexec was built for cgi-bin stuff – but php is a whole other beast. That’s what I’m talking about here – getting php to run as the user who owns it. More specifically, this will show how /home/user/public_html/myphp.php will run as “user”, but stuff in /var/www will still run as www-data.

One good article I found describing this is here: http://alain.knaff.lu/howto/PhpSuexec/

First things first – mod_php needs to be disabled. This can be done globally, but it’s better to just disable it for public_html dirs. This can be done by adding the following to /etc/apache2/apache2.conf.

<Directory /home>
 php_admin_flag engine off
</Directory>

Now, to enable suphp.

First install php-cgi. and the apache2 prefork which has some things we’ll need later on.

apt-get install php-cgi apache2-prefork-dev

Do not install libapache2-mod-suphp – at least not on 8.04. This older version lacks some of the things most people need… like having more than one directory.

Download the latest suphp module from http://www.suphp.org/Home.html.  Compile this like:

tar xfzv suphp-SNAPSHOT-2008-03-31.tar.gz
cd suphp-SNAPSHOT-2008-03-31
./configure --with-apxs=/usr/bin/apxs2 --with-setid-mode=owner
make
make install

Modify apache’s config

LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so
<Directory /home>
AddHandler application/x-httpd-php .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-php
suPHP_Engine on
</Directory>

Now in /usr/local/etc/suphp.conf

[global]
webserver_user=www-data
docroot=${HOME}/public_html
check_vhost_docroot=false

[handlers]
;Handler for php-scripts
application/x-httpd-php="php:/usr/bin/php-cgi"

Restart apache. To debug, check /var/log/apache2/errors.log.  To test create scripts in public_html directories and in /var/www that exec(‘whoami’) and make sure they’re called with the correct permissions.

It’s a start, but then there’s always stuff like XSS, etc.

Auto Restore Virtualbox

For the security class I’m teaching we recently had a box to pwn. Problem is, they would sometimes get the address wrong and crash the virtual system. I probably would have just distributed the vdi, but not all of them have machines robust enough to run a vm, so I had to set something up.
First off, I gave the virtual vulnerable box a public IP by bridging.

/etc/network/interfaces

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    address 134.50.1.2
    netmask 255.255.0.0
    gateway 134.50.1.254
    bridge_ports eth0 vbox0 vbox1

# The loopback network interface
auto lo
iface lo inet loopback

/etc/vbox/interfaces

vbox0 lundeen br0
vbox1 lundeen br0

Awesome, now firewall rules work. In the vulnbox, I give myself an ip address. On the host, I set up very strict firewall rules using iptables.

Another big issue is auto-restore. Since the class often gets an address wrong, the vulnbox often crashes.

The following will shut the box down, revert to a snapshot, and turn it back on.

/usr/bin/VBoxManage controlvm vulnxp poweroff;
sleep 5;
/usr/bin/VBoxManage snapshot vulnxp discardcurrent -state
sleep 10;
/usr/bin/VBoxManage startvm vulnxp</pre>

Anyway, I put this in crontab to do every 20 minutes.

0,20,40 * * * * /path/to/virtualscript

Social Network Analysis of Disclosure

Count number of lines in a file

find . -type f -exec cat {} ; | wc -l

and if you don’t want repeats

find . -type f -exec cat {} ; | egrep \S | wc -l

I even thought about cat, but I ended up doing something like:

total=0
for i in $( find -H . -type f ); do
  temp=$( wc -l "$i" | cut -f 1 -d  )
  if [ $temp &gt; 0 ]; then
    total=$(($total+$temp))
  fi
  echo $total
done
echo $total

Bash Error Checking

I was reading an oriley bash scripting book, and they had an entire chapter dedicated to error checking in bash.  For me, this was a little weird since I think the way they handled it made the code cluttered.

They have cascaded statements like

if [ $ -ne 0 ]; then
#handle error
elif…

For me, this is strange.  I think in a bourne shell, the best way is to just set the -e flag, which according to the man page

-e errexit If not interactive, exit immediately if any untested command fails. The exit status of a command is considered to be explicitly tested if the command is used to control an if, elif, while, or until; or if the command is the left hand operand of an “&&” or “||” operator.

This can be accomblished by

set -e

in your script.

Error handling is a balancing act between doing too much and handling everything (thus making the code unreadable) and not checking enough.  Normally, if I need much more error checking than that, time to pull out the python.