From the Apache documentation, I read that Apache needs to initially run as root to then switch to the user defined by the User directive to serve requests.
However, I also read, still from the Apache documentation, that the recommended strategy is to create a new user and a new group specific for running the server.
This is a bit confusing for me. If Apache needs to run as root, why do I need a new user? Does it refer to the webmaster running the server? Because, otherwise, the two statements look a bit contradictory to me.
Let me quote from your own question:
I read that Apache needs to initially run as root to then switch to the user defined by the User directive to serve requests.
Correct.
So that implies there needs to be a different (not root) user account to switch to ...
However, I also read, still from the Apache documentation, that the recommended strategy is to create a new user and a new group specific for running the server.
Again, correct.
The recommendation is to create a user and group specifically for Apache rather than using some existing user / group.
No contradiction so far.
If Apache needs to run as root, why do I need a new user?
Apache needs to start as root.
Then it needs to switch to a different user.
Why?
It needs to start as root, because some of the initial setup can only be performed while the process has elevated privileges.
It needs to change to a different account because it is unsafe to continue running with elevated privileges. Why? because if hackers can find an exploit in the Apache process running as root, then they have achieved a root compromise. (That's a hack of the worst kind ...)
In short, there is no contradiction.
I wish to run some untrusted code using chroot.
However, many claim that chroot is not a security feature and can easily be broken out of.
Therefore my question is how does apps like https://ideone.com/ manage to run untrusted code quickly and securely. Also if chroot can be broken out of, couldn't it be possible to break out of chroot in https://ideone.com/ .
I'm not sure what untrusted code you're referring to, but chroot just changes the apparent file structure -- theoretically you can't see above a certain level. But symbolic links can still work so if your chrooted directory has a symlink to a directory above, chroot doesn't do you any good.
It's also possible for applications can get access to resources through other applications. Some clever hackers know how to exploit running apps, but if you set up the ideone environment as root, well, anything is possible.
More theoretically, you could install a master application that has full access to the file system. Then you run code in a chrooted environment. If that master app is running and listening it can relay resources to your chrooted application.
Quickly? Sure... Securely... well... with my example the master app is a gatekeeper but it's still security through trust of the master app.
I have a Apache module that acts as a security filter that allows requests to pass or not. This is a custom made module, I don't want to use any existent module.
I have actually two questions:
The module has its own log file. I'm thinking that the best location should be in /var/log/apache2/ but since the Apache process runs on www-data user, it cannot create files on that path. I want to find a solution for the log file in such way that is not much intrusive (in terms of security) for a typical web server. Where would be the best place and what kind of security attributes should be set?
The module communicates with another process using pipes. I would like to spawn this process from Apache module only when I need it. Where should I locate this binary and how should I set the privileges as less intrusive as possible?
Thanks,
Cezane.
Apache starts under the superuser first and performs the module initialization (calling the module_struct::register_hooks function). There you can create the log files and either chown them to www-data or keep the file descriptor open in order to later use it from the forked and setuided worker processes.
(And if you need an alternative, I think it's also possible to log with syslog and configure it to route your log messages to your log file).
Under the worker process you are already running as the www-data user so there isn't much you can do to further secure the execution. For example, AFAIK, you can't setuid to yet another user or chroot to protect the filesystem.
What you can do to improve the security is to use a system firewall. For example, under AppArmor you could tell the operating system what binaries your Apache module can execute, stopping it from executing any unwanted binaries. And you can limit that binary's filesystem access, preventing it from accessing www-data files that doesn't belong to it.
As part of my learning process, I thought it would be good if I expand a little more knowledge on what I know about apache. I have several questions, and while I know some of the stuff may require a rather lengthy explanation, I hope you can provide an overview so I know where to go looking. (preferably reference to mod_wsgi)I have read some resources after searching on google, and what I know arrive from there, so please bear with me.
What does the apache lifecyle looks like before, during, and after it receives a http request? Does it spawns a new child process to do the work, or creates a thread in one of the child process?
Does apache by default runs under www-data? So if that's the case, if I want a directory under my project folder to be used for logs, I can change just the folder group to www-data and allows write access?
What user will the python interpreter run under, after being invoked by apache? And what will processes created by Popen or multiprocessing from there run under?
I ran ps U www-data. Why are there so many processes with
S 0:00 /usr/sbin/apache2 -k start
The Apache mpm prefork module handles one connection in one process. To handle connections fast and not spawn processes on demand, apache maintains a process-pool. This explains why you see so many processes in the process-list. If a connection comes in, it is handed to one of the already existing processes.
Some more information is here: http://httpd.apache.org/docs/2.0/en/mod/prefork.html
The answer to question 2) is yes, apache always runs as www-data und you can grant access to any directory by changing it's group permissions to www-data.
Read:
http://www.fmc-modeling.org/category/projects/apache/amp/Apache_Modeling_Project.html
http://code.google.com/p/modwsgi/wiki/ProcessesAndThreading
http://code.google.com/p/modwsgi/wiki/QuickConfigurationGuide#Delegation_To_Daemon_Process
http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIDaemonProcess
The first one will tell you all the gory details of how Apache works internally. The latter relate to mod_wsgi specifically and process/threading model.
I've been getting these messages in apache error.log for quite a while:
[client 217.197.152.228] File does not exist: /var/www/phpmyadmin
[client 217.197.152.228] File does not exist: /var/www/pma
[client 217.197.152.228] File does not exist: /var/www/admin
[client 217.197.152.228] File does not exist: /var/www/dbadmin
[client 217.197.152.228] File does not exist: /var/www/myadmin
[client 217.197.152.228] File does not exist: /var/www/PHPMYADMIN
[client 217.197.152.228] File does not exist: /var/www/phpMyAdmin
And many more different addresses. Looks like somebody is trying to guess where my admin applications are located. What should I fear in this situation, and what a knowledge of my admin addresses can give to attacker, if everything is password protected?
If everything is locked down well, fear nothing. These are just automated attacks that happen to every URL in existence. Same thing happens to me, and I don't even run PHP on my server.
If you don't have the latest patches (like on say, WordPress), then yes this is a big problem, but one that's relatively easy to fix.
if you have admin or restricted folders you could configure it in htaccess to restrict access only to your ip or ip range like this
<Directory /var/www/AdminFolder/>
Options FollowSymLinks
Order Deny,Allow
Deny from all
Allow from 128.98.2.4 # your ip only
</Directory>
It will only be a good solution if you have static ip, but then you will be completely sure that you ll be the only one to get inside adminfolder
If they find a login page they could try to do a brute force attack or other password cracking approach.
In these cases if there is an IP that is consistently displaying such behaviour we block it with denyhosts and ModSecurity.
Firstly... Never install in a default folder.
Secondly... If you "Must" use a prefab program, rename the admin folders to something less tasty, like, "homework". No-one will ever look there for anything important. (Due to many poor coding techniques of prefab programs, they do not operate willingly when you relocate and rename folders. You would think security would be their primary goal, but, having an admin-folder at www/home level, and no ability to select the location or name, is your first sign of poor programming.)
Thirdly... Move all your INCLUDES above www/home. (Move above = move back one level, to the folder that contains the www/home folder.) Again, expect to get your hands wet with code, as the programmers most-likely did not follow that simple security commonplace with code. You will have to tell your code to look in the new includes path, which is now above the www/home folder.
Fourthly... Where possible, setup a LOCK-OUT on your admin folder. Use your FTP or C_Panel to unlock the folder, only when it is needed. You should not be logged-in daily, or as a common login. For all you know, you have a virus on your computer and it is watching you type-in your password every time, or capturing your cookies, or injecting worms on your server once you have logged-in. The better alternative is to find programs with external admin controls. EG, no software on the server. The software stays on your PC, and it only accesses your server to update changes, briefly.
Fifthly... Get a blacklist plugin for your server, or request one. Your HOST should be blocking those types of obvious scans at the router level, sending repeated requests to a black-hole. Hosts that don't provide the lowest level of security, should not be used. That is what the hackers use, since they don't block them when they attack. (Expect that your NETWORK NEIGHBORS are potentially hackers on a shared-server. They will be fishing inside your shared-temp-files for sessions, cookie data, backup-code, sql-ram data, etc... Looking for anything important. Usually your clients e-mails and passwords, CC info, paypal info, telephone numbers, addresses, and anything else not nailed down, to sell.)
Sixthly... Find a host which does not have prefab programs available. Why? Because they are all poor security, free-ware yester-years versions, unpatchable, poorly configured, and your neighbors are using them too. If you have no neighbors, great... but that does not make you any safer. The installers have decreased your server security, so they can gain access to installing the programs, even if you never install one of them. Hackers exploit that also, installing thing they know they can hack, that exist in your c-panel or server-control, and then they hack in through those exploited installed programs.
LOL, just print books... J/K, that is hackable too!
You know what is not hackable... Pure HTML, on a server without PHP, ASP, MySQL, FTP, e-mailers, and all the other things we all love to play with so much. Oh, but the HTML has to be on a CD, or a hard-drive with the erase-heads unwired. Hehe...
It seems he's looking for PHPMySQLAdmin installations, probably to automatically try and use known exploits on old versions.
If you're not using PHPMyAdmin you should be fine. If you do, make sure it's updated to the latest version, and maybe move it to a non-guessable URL.
If you have protected everything it's no real big deal.
http://217.197.152.228/phpmyadmin/ <- that's where your phpmyadmin is running. Seems it's pass protected etc so don't worry too much!
There are some exploits that will reveal info in fact, your phpmyadmin is vulnarable to some attacks:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0204
Maybe you should check for exploit docs on your phpmyadmin version.