[HCS-D]mod_php alternatives? (and tonight's work)

Gregory N. Price gprice at fas.harvard.edu
Mon Dec 6 15:57:32 EST 2004


  On Mon, Dec 06, 2004 at 09:15:23AM -0500, Philip Zeyliger wrote:
    There are hacky ways to run PHP as users.  We use them.  I set
    them up...  The short story is you copy a binary to your scripts
    dir, add a few lines to .htaccess, and everything *.php gets run
    by that program, which runs PHP for you.  I can go into
    more detail at a later time.

Yeah, I saw what looked like such a thing in ~dunster.  I saw also on
Google a how-to for what looked like setting up such a thing systemwide.

We do want to make it systemwide.

I haven't looked carefully at this script; is it the sort of thing
that'd leave us more secure than we started?


Some other solutions spotted last night:

 - A patch to suexec that lets it know about PHP:

    http://www.localhost.nl/patches/

 - A separate suexec just for PHP:

    http://www.suphp.org/


Naturally, we won't install any such thing without being confident
it's a good idea.


  On Mon, Dec 06, 2004 at 02:38:34AM -0500, Ivan Krstic wrote:
    > ... without having apache run as root (which in itself is a really bad idea).
    
    This is accurate. The solution is securing the system in other ways, 
    including but not limited to ACLs, TPE, socket control, and chroot for 
    the web server.

Do you mean running apache as root, and then doing other things to
maintain security?

I expect running a small piece as root -- rather like suexec -- is a better idea.

    I will bring this up at the meeting tonight, but several things are 
    apparent to me at this point:
    
    (1) HCS ought to create a new post for a security manager/CSO
    (2) the choice of operating system, security, and software on public HCS 
    machines ought to be reconsidered once the CSO has been appointed
    (3) installation baselines ought to be produced and kept on 'cold' media
    (4) installation baselines need to be integrated, probably 
    automatically, into an up-to-date map of software, with accompanying 
    version information, deployed across all HCS machines, for a god's-eye 
    view of potential security problems

Yep, we'll talk about these.  Lots of things are good ideas for HCS to
do if someone wants to put in the time to do them.


                Gregory



More information about the hcs-discuss mailing list