# Info about apache22 + fastcgi + suexec + pureftp



## Sigfrido (Feb 16, 2010)

Hi all,

I'm interested to enable fastcgi and suExec with apache22 to execute php scripts with limited permission on virtual hosts but I've never done it.

According to my informations, suExec requires a valid uid/gid to set correct permissions to run scripts hosted inside ftp user's document root.

Using PureFTP, there is only one uid/gid which contains all my virtual ftp users (I've used PureDB to store them).

I suppose that I've to specify, for each vhost inside my httpd-vhosts.conf, a user and group to run as (directive User and/or SuexecUserGroup) and I think I've to set PureFTP ones.

Is there any risk, with malicious php code stored inside one virtual ftp account, to steal informations inside other virtual ftp paths, owned by the same uid/gid (PureFTP ones)?

Is there any apache directive to prevent this kind of problem?

Thanks in advance


----------



## Alt (Feb 16, 2010)

Well, you using php-cgi or mod_php ?


----------



## Sigfrido (Feb 16, 2010)

```
# /usr/local/bin/php -v
PHP 5.2.12 with Suhosin-Patch 0.9.7 (cli) (built: Feb 12 2010 13:50:48)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
```
mod.


----------



## Alt (Feb 17, 2010)

Now how yo wanna SUEXEC it if its apache module? 
You can run php as fastcgi using www/spawn-fcgi with setting spawn_fcgi_username & spawn_fcgi_groupname. But you must run a copy with different spawn_fcgi_bindsocket for each uid you need run.
In apache you must use FastCgiExternalServer or somewhat like (i dunno how to set external fcgi in apache, used only in nginx)


----------



## Sigfrido (Feb 17, 2010)

You got the point, I've to reinstall php w/o Apache support and preinstalling a cgi spawner, like:


```
# cd /usr/ports/www/mod_fcgid
# make install clean
```

Then php, enabling FastCGI:


```
# cd /usr/ports/lang/php5
# make config
# make install clean
```

Then some httpd.conf changes (disabling php5module, enabling fcgi wrapper, ...).

Now I can use suExec but I've the same question explained in my first post. 

Any hint?


----------



## SirDice (Feb 17, 2010)

Sigfrido said:
			
		

> Is there any risk, with malicious php code stored inside one virtual ftp account, to steal informations inside other virtual ftp paths, owned by the same uid/gid (PureFTP ones)?


Yes, that risk is quite high. Since all files are owned by the same uid/gid anyone that's able to login using FTP can change any file owned by that uid/gid.



> Is there any apache directive to prevent this kind of problem?


AFAIK no. The only way to solve this would be to change the 'virtual' FTP UIDs to 'real' ones.


----------



## Sigfrido (Feb 17, 2010)

Thanks Sir. 

In fact, if I'm aiming to prevent interactions between ftp accounts (using virtual ftp users) via malicious php code, it's pretty useless to run php as cgi with suExec.

So, if I don't want to user real users to avoid this risk, is there any viable software configuration to do it?

If I plan to leave apache22+mod_php (w/o cgi & suExec/php), which steps can I do to secure php?

Editing disable_functions inside php.ini like


```
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
```

is it enough?


----------



## Alt (Feb 17, 2010)

I recommend to set open_basedir in each vhost so they cant go other's directory; for ftp you can setup chroot


----------



## Sigfrido (Feb 17, 2010)

already done, PureFTP has a chroot() emulation so there aren't problems about ftp users.

The problem is that, with virtual ftp users, I can't secure php to be executed by the effective owner of the script.


----------

