Is there a way to "containerize" php applications?

[Red Squirrel]

I'll be launching a new forum, and it's rather customized making updates much harder. I'll obviously try to stay on top of security issues and patch manually, but there is still a possible risk. Heck even a patched application can always have vulnerabilities. So to reduce risk of a security issue compromising the entire server, is there a way I can have php scripts run as a specific user, instead of as apache? Idealy it would be nice if it just ran under whatever user the files' home directory it's in. Then I can create several users to split sites/apps to minimize risk should one get hacked. I could create a bunch of VMs but that's kinda overkill and a management nightmare since then I have that many more OS installations to manage.

Is there a way to do this? Everything I search for and find on Google such as phpsuexec, I read elsewhere that it's "deprecated". What is the proper way to do it now days?

 

[sourceninja]

Why not just use actual containers? Docker would handle this for you.

 

[Red Squirrel]

Isin't that a commercial product? I don't really want to pay for anything. I still want it to be on the same system running on the same instance of apache etc, no VMs or anything like that. It just makes things more complicated to manage. Is there not a way to just make the code run as a different user based on which home directory it's in?

 

[purbeast0]

I'm not following what you mean by making "code run as a different user" regardless of what directory it's in.

 

[Red Squirrel]

Basically, say I have a php script that has a security issue in it, normally it would run as apache. That means that script has access to pretty much everything else that apache has access to such as other home directories. This would allow to access pretty much the whole web server. But if I had it so the script can run as a different user then I can chown all the files as their respective users and the php scripts will only be allowed to access the stuff that belongs to the same user as itself. Basically I would create a couple unix accounts to split up websites so that if one website gets hacked they don't gain access to everything else too.

 

[mv2devnull]

Isin't that a commercial product?

Docker? CentOS has some version in its 'extras' repo. No visible price tag.

Basically, say I have a php script that has a security issue in it, normally it would run as apache. That means that script has access to pretty much everything else that apache has access to such as other home directories. This would allow to access pretty much the whole web server.

No. Why would Apache have any access to home directories? Why have "regular users" on the forum server anyway? Even if it would, that is just the home directories, not the server.

Don't you have selinux, etc to further confine the httpd process?

 

[Red Squirrel]

I had just read briefly on docker, it sounded kind of commercial but I'd have to read on it more I guess. Not really sure what it is, like some kind of hypervisor but not really? That's the jist I got from reading on it. Suppose it's an option but sounds more complicated than what I'm hoping to be able to do. I just want scripts to run as a different user on a per home directory basis. How do shared hosting environments do it?

Apache needs access to the home folders so it can read and serve the html files. I had to disable selinux, it breaks too much stuff without telling me why. Like just start getting weird errors in certain programs and pull my hair out trying to figure out why. Disable selinux, boom everything works. It's one of the first things I disable now. Maybe one day I should try to figure out how to use it but that day is not now. Makes troubleshooting anything way too hard as there's no clear indication of why something is failing.

Is it really that hard to just make php scripts run as a different user? Basically I want each home directory to be owned only by it's own user, and for the scripts to run as that user. That way if one script turns out to have a security issue I don't want the hacker to be able to gain access to all the other sites/scripts too from that one script. Ex: a script that allows remote code execution. I want the code to run as that home directory user, and not as apache. So the attack will be confined to only the one website.

So for example, all scripts in /home/user1/ would run as user1. All scripts in /home/user2/ would run as user2. Should a script in user2's folder have an exploit that allows to write files to the file system, it would be contained to /home/user2/'s home directory.

Basically when I declare the virtualhost entry for a site, I just want to be able to specify a user that the scripts run under.

 

[sourceninja]

Docker is a fancy modern form of chroot or jails basically. It's a kind of virtualization, but more up the chain than say a full VM. It only 'virtualizes' the parts that are different for your application. But to directly answer your question, what you want to do can't be done from a single apache instance. You are either using mod_php or fastcgi, both run php as a single user.

Docker is also open source with a enterprise product (and with no compelling reason to buy it). Containerizing applications is the future of applications that are not "serverless" (read cloud function as a service products like Lambda). You can ensure constancy and immutability of your application. You can also ensure that your dev and prod are identical (thanks to the container). It completely removes a lot traditional patching by allowing you to leverage immutable infrastructure. You don't patch containers, you build a new one. Then deploy the app to it (probably with a CI/CD pipleline) and run the container. Eventually you can use packer to have your CI/CD pipeline build a brand new fully patched container on each code deploy. Beyond that you can move to a service like AWS farscape and stop managing the host OS the container runs on. Or just move to 'serverless' and only pay for the milliseconds your app runs per request.

It's a thing of beauty.

 

[Red Squirrel]

How did phpsuexec do it? I'm pretty sure I've seen that before in shared hosting environments, it's just that everything I read on it now says it's deprecated. Nothing replaced it? Fastcgi also came up in my search. How would I do the container thing, any good tutorials on that? Suppose I can see how involved it is and see if it's worth it. Any ELI5 tutorials on docker and containers? I've heard those terms thrown around before but any time I google it I don't find much tutorials aimed at beginners.

 

[sourceninja]

Well to say it can't be done, is to say it can't be done well. There are some options. I have not found them to be the greatest.

http://www.suphp.org/Home.html (no longer maintained)
https://php-fpm.org/ (via chroots and seperate php.ini files, might be able to do as owner as well, never tried it. )

Getting into containers is easier than you think, it's probably best to start there https://docs.docker.com/get-started/ and maybe here https://docs.docker.com/develop/ . It's pretty easy to get started and you can play right on your own workstation.

 

[Red Squirrel]

Thanks I'll check that out, it's something that kinda peaked my interest as I often hear mention of it so I'll have to read up and maybe setup a test environment first and see if I can make it work.

 

[Red Squirrel]

I read briefly on containers but it really sounds more like a way to deploy applications, it does sound neat and it's something I'd like to learn but I feel it would be overkill for this.

However upon further searching I found the .htaccess parameter called

php_admin_value open_basedir "/path/to/vhostwww/

It looks like you can set that in a virtualhost to restrict php access to that folder. I have not played with it yet but I think that might work. Any issues as to why I can't use that? Essentially I would just set it to the same path as the virtualhost's directory. So this should stop a php file from being able to access anything outside of that folder. In a way this may be even better than my original idea of going by user, since I do have many virtualhosts on the same user account so I don't need to split them all up like I was originally going to do.

 

[sourceninja]

That works in the sense that php scripts will not be called by apache unless they are in that directory. However, that doesn't stop scripts from abusing their permissions and writing or executing files outside of that directory. For example, writing a script that uses something like shell_exec.

 

[Red Squirrel]

Yeah guess that won't work. I thought it was to stop php scripts from being able to access anything outside that folder.

What do shared hosts do to stop a malicious client from accessing other people's folders via php? Ex: if someone writes a script that uses shell_exec or fopen or something it could read someone else's forum configuration file and then get the SQL credentials.

 

[Skunk-Works]

Check out Ninjafirewall and CIDRAM. Make sure you have mod_security installed and I would install Suhosin.

Running a CDN like Cloudflare and only allowing the CF IPs is a great way to keep your origin IP hidden. But you can't use the mx record otherwise you expose your IP. Instead, use a third party email service.

This is how I set up things. I know the author of CIDRAM. There's no reason why you'd want Azure, Amazon AWS, Google cloud, etc to connect to your site. CIDRAM also has the ability to check the stop forum spam database on registartion and login to help prevent spam.

 

[Red Squirrel]

This is not about hiding my IP, it's about stopping one website (on the same server) from being able to access the files of the other website (on the same server).

Basically if someone finds an exploit in a script I don't want them to be able to use that exploit to cross out of that site and go edit/view config files for other sites. On the same server.

Because html, php etc is accessed by apache which runs as the apache user, all web files need to be owned by apache. That means that it makes them accessible by everyone. So I'm trying to figure out a way to split it so that each virtualhost can't access another virtualhost. I don't know why this is not something that is built in to apache. You should be able to just make virtualhosts run as different users so that one can't access the other.

What do shared hosts do so that customers can't access the files of other customers using php scripts?

 

[sourceninja]

Talking to a few people I know who still use php, you can use apache's suExec with php if you use cgi_php and not mod_php. That will let you control what user the php executes at on a per virtual directory basis.

 

[Red Squirrel]

That came up in search but is that actually still supported? Everything I read says it's deprecated and not recommended, but yes that is exactly what I need. I find it odd that this functionality is not built in. I might just go with that, hopefully it's not too involved to get working.

 

[sourceninja]

It doesn't look unsupported https://httpd.apache.org/docs/2.4/suexec.html. Some googling it looks like hostgator uses phpsuexec and suphp http://support.hostgator.com/articles/phpsuexec-or-suphp

 

[Red Squirrel]

That's good to know. Hostgator is pretty big so if they use it then it must be supported and rather scalable. Think I'll go that route then. I don't recall where I read it was unsupported but it came up when I was searching for it as I had heard of it before.

 

[Skunk-Works]

What do shared hosts do so that customers can't access the files of other customers using php scripts?

Cage FS.

 

[Lokesh Sharma]

Hey,
This is a Docker which provides a uniform way of building and running containers for any required services. The platform makes sure that your application performs the same regardless of the target environment. So, the Dockar will help you.