The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/TMP folder - Security Issues

Discussion in 'Security' started by legalbrr, Dec 9, 2009.

  1. legalbrr

    legalbrr Member

    Joined:
    Nov 1, 2009
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hello everybody,

    I searched A LOT and couldn't find a good answer..
    So, I'll ask the experts here... =)

    Without using PHP_SUEXEC, is there ANY WAY to make the "/tmp" folder secure, without compromising sessions and/or file uploads?

    I mean, look at the following PHP code:
    Code:
    <?php
      $dirObj = dir("/tmp");
      while($file = $dirObj->read())
        echo "I can read the file: {$file}<br />";
    ?>
    And, once you get the filename above (phpsess_7326487326dabc4 for example), users can also run the following code to READ it:
    Code:
    <?php
      echo "<pre>";
      echo file_get_contents("/tmp/phpsess_xxxxxxxxx");
      echo "</pre>";
    ?>
    I'm sure that I don't need to explain how dangerous sessions files can be. If you just know the "xxxxxxxxxxxxx" (id of the session), you can simulate a logged-in user just by passing ?PHPSESSID=xxxxxx on the correct domain (that you would have to guess, but myipneighbors gives a huge help on it).

    The only kind of protection I've seen so far, is about the "file_get_contents". I mean, I still can READ the whole directory (and get the session_id of all users on that machine), but if I try to "get contents", it returns me a "Permission Denied" message.

    I'm mounting my VPS and I just don't have ANY IDEA what I can do to make it safer. I had two resseller accounts recently, and BOTH servers were vulnerable as said above.

    Ps: I already enabled "open_basedir" restriction, the problem still remains.

    What about PHP_SUEXEC? If I use it, I will lose:
    - htaccess php directives (I don't want to...)
    - cgi consumes greater resources from the system (I'm in a VPS.. I'm worried about 10mb of memory for each PHP CGI instance)
    - Permissions 0777 not allowed. Why!??? As I am allowing ONLY php (not SSH nor PERL), open_basedir can secure everything even with 0777 permission.. Every developer is used to put 0777 when php needs to write there. There is no problem, I don't feel confortable changing this.

    So, PHP_SUEXEC fixes the security problem mentioned above?
    Is it the ONLY solution to fix that problem?

    Ps: I tried the "/securetmp" script, but had absolutely no success.
    I think all it does it taking out the "exec" perms from that folder, but it is still readable (and writeable?) to everyone.

    Thank you very much!
     
  2. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    chmod your /tmp to 0733.

    This allows read and write access but prevents listing the directory contents.
    It works fine with sessions and uploads.

    One downside is that php's garbage collection will no longer work, so you will need to regularly delete old session files from /tmp or it will fill up quickly, just program a script to delete them after a few days of no reads or writes.
     
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I would consider using a combination of both SuExec (for CGI scripts) and SuPHP (for PHP scripts). Using SuPHP will ensure that new session files from PHP scripts are created with an ownership by the same user that is defined in the domain's virtual host in the Apache configuration. On a test server that uses SuPHP the session files also have an access permissions (chmod) value of "0600" ensuring that access is restricted from other users.

    The following menu path in WHM may be used to switch the PHP handler to SuPHP; availability of SuPHP depends on if it was selected in the customizable build profile settings when running EasyApache:
    WHM: Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration
    Documentation:
    Configure PHP and suEXEC

    Here is the menu path in WHM to access EasyApache:
    WHM: Main >> Software >> EasyApache (Apache Update)
    Documentation:
    EasyApache (Apache Update)
    Apache & cPanel/WHM

    I recommend the following documentation for learning more about the available PHP handlers, including SuPHP, and for some additional information about hardening the PHP configuration:
    Apache PHP Request Handling
    Hardening PHP
     
  4. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    That doesn't really fix the problem.
    An attacker trying to exploit this does not need to actually read the file, knowing the filename is enough.
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    If the system administration team sees fit they may apply more restrictive access permissions where desired, including to thoroughly audit and harden their systems software configurations as required by their business' unique hosting needs. In addition to SuPHP, another example to further separate different accounts would be to use a unique session save path per individual user; the administrators may also want to consider applying additional measures such as a customized Suhosin configuration for PHP. Nothing will be an end-all solution but taking advantage of additional security measures whenever possible is necessary to further reduce the potential risk involved and mitigate abuse when it eventually does occur.
     
  6. Janak

    Janak Well-Known Member

    Joined:
    Jul 18, 2009
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    6
    You can make /tmp non-executable. Just edit the way that it is mounted in the file /etc/fstab. Find the line that contains /tmp and change the defaults to read nosuid,noexec instead.
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    For reference, the above measure is included when using the script "securetmp" that was said to have been performed.
    Code:
    # /scripts/securetmp
     
Loading...

Share This Page