S.L.A.M.P ... thoughts?
Secured Linux Apache mySQL PHP ...
So what do I mean, well take for example the following scenario:
Shared hosting L.A.M.P environment hosting say 12 sites.
11/12 sites are bespoke closed source PHP web applications.
no. 12 however is running say for example Joomla and owned by a non tech-savy client.
The example I speak of is where site no. 12 due to not updating the joomla installation with the latest security fixes, falls prey to an exploit, and worse still the exploit allows XSSI, the attacker therefor now can run a script such as phpTERM, to gain ssh like access allowing compromising access to all sites running on the box, due to the default apache nature of needing a minimum of read and execute perms to all scripts, the attacker now traversing the file system as apache can read config script to gain if nothing else database passwords.
Thusfar I have a working solution to this in suPHP, a derivative of mod_suexec, this forces the php binary to run as the user for which the file belongs to, meaning that file based permissions of 711 for directories and 700 for files can be enforced whilst allowing pages to be served, meaning in this environment should a site be compromised the attacker has access only to that sites files.
There are of course more security measures that must be implemented for this to work, mySQL user restricted to their own db etc ...
I am in the process of a write up on my blog covering this topic, it is aimed more at damage limitation in the event of a compromised web app, what I would like is some thoughts / suggestions on improving this method or even alternate methods for 'locking down' a shared hosting environment without the complications of chrooting, for which I will provide credits of course.
Thanks for your feedback.
Bah bang goes that method ...
Any none php files are not su-execed, as such trying to access say an image results in a 403 error :'(.
I'll post back with a fix once I find one.
UPDATE: Only work around I could find was CHMOD ... 600 for PHP files (bash script runs hourly to make sure this is the case for all php files) ... 644 for everything else (711 for dirs)