DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th August 2019
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Question OpenBSD & SFTP ChrootDirectory !

hi.

i have test user.
in sshd_config i set ChrootDirectory for test user to /home/test.
i want test user access to /var/www/test/public_html.

we know pathname in ChrootDirectory must be root-owned, so if i set owner of /var/www/test to root, php-fpm can't access to this folder.(group is www)

how do i can?

NFS is good. but i dont know about security or performance.
and OpenBSD does not support mount --bind.
Reply With Quote
  #2   (View Single Post)  
Old 19th August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

  • After dropping privileges, php-fpm processes run as www:www.
  • The ChrootDirectory must be owned by root and not writeable by any other group.
I have not tested this, but perhaps if you create the Chrootdirectory as root:www, with a chmod(1) of 750, shown as drwxr-x--- in ls(1), this will follow chroot(2) restrictions while permitting php-fpm to access to the directory.

Subdirectories can be created to permit read/write access by php-fpm, but heed this warning from the sshd_config(5) man page:
Quote:
For safety, it is very important that the directory hierarchy be prevented from modification by other processes on the system (especially those outside the jail). Misconfiguration can lead to unsafe environments which sshd(8) cannot detect.
Reply With Quote
  #3   (View Single Post)  
Old 19th August 2019
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default

Quote:
I have not tested this, but perhaps if you create the Chrootdirectory as root:www, with a chmod(1) of 750, shown as drwxr-x--- in ls(1), this will follow chroot(2) restrictions while permitting php-fpm to access to the directory.
not secure for multiple website.
i think we are in jail.

but i find better solution for this shortage. i set ChrootDirectory to /var/www
i think is better if no exists any security problem in later.
Reply With Quote
  #4   (View Single Post)  
Old 19th August 2019
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Lightbulb

what is your comment about my idea?
Reply With Quote
  #5   (View Single Post)  
Old 19th August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If you set the ChrootDirectory to /var/www, you are giving the chrooted ssh/sftp user filesystem access to your entire web server environment. Every virtual server, all PHP scripts, all data stored in files.

Is that your intent?

If the purpose of the chroot() is to isolate the untrusted user to a single virtual server that uses PHP, then set that single instance of php-fpm to use an isolated group and user instead of www:www.
Reply With Quote
  #6   (View Single Post)  
Old 20th August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I have tested ChrootDirectory use with php script uploads. It works fine.
  • The testuser's GID was set to the www group, 67. I could also have added this user to the group via provisioning in groups(5).
  • The home directory, /var/www/testuser was set to chmod(1) 750, chown(8) root:www.
  • Writeable subdirectories were created in the root owned home directory.
  • A phpinfo() test file was uploaded to a writeable directory via sftp(1)
  • php-fpm could access the script via a httpd(8) location{} directive.
If I had multiple PHP instances to manage, I would isolate them with different chroots and/or different user:groups, via provisioning in unique configuration files (default: /etc/php-fpm.conf).
Reply With Quote
  #7   (View Single Post)  
Old 20th August 2019
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default

Quote:
If you set the ChrootDirectory to /var/www, you are giving the chrooted ssh/sftp user filesystem access to your entire web server environment. Every virtual server, all PHP scripts, all data stored in files.
no.

Quote:
If the purpose of the chroot() is to isolate the untrusted user to a single virtual server that uses PHP, then set that single instance of php-fpm to use an isolated group and user instead of www:www.
excatly. any user only access to own folder and can't access to other folder.
so /var/www/ is isolated.
Reply With Quote
  #8   (View Single Post)  
Old 20th August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If I understand your use-case correctly, you have multiple virtual servers providing service through a single webserver and single php-fpm instance:
Code:
[virtual webserver A][virtual webserver B][virtual webserver C]
                                |
                                |
                            [webserver]
                                |
                                |
                             [php-fpm]
Considerations:
  • If the webserver is httpd(8), it operates in a chroot(2) at /var/www by default. Each virtual server can have a separate document root, but the virtual servers are not otherwise isolated from each other in the filesystem.
  • sshd(8) can isolate a user's access to a new filesystem root, either at or within a virtual server's document root. This *may* isolate that user from other virtual servers' documents, if the virtual servers have unique document roots. It will also prevent that user from accessing other structures within /var/www, such as /var/www/run, as well as any other directories in other parts of the OS filesystem.
  • The php-fpm engine also runs chrooted in /var/www by default. Even so, there is certainly the possibility of interference in operation of the engine through uploaded scripts, as you intend to permit the untrusted user to upload and then run ANY php script the user desires. To mitigate some of these accepted risks caused by this, a separate php-fpm engine and separate back end database engines should also be considered.
If I don't understand, please correct me.
Reply With Quote
  #9   (View Single Post)  
Old 21st August 2019
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Post

Quote:
If I don't understand, please correct me.
approximately.

please let me to describe structure of system.

this is folders structure:
/var/www/
Code:
drwxr-xr-x   2    root       deamon   ....  bin
drwxr-xr-x   2    root       deamon   ....  run
drwxr-xr-x   2    root       deamon   ....  usr
drwxr-x---   2    root       deamon   ....  cgi-bin
drwxr-x---   2    root       deamon   ....  logs
drwxr-x---   2    UserA     www      ....   UserA
drwxr-x---   2    UserB     www       ....  UserB
/var/www/UserA
Code:
drwx------   2    root       deamon    ....    logs
drwx------  2     UserA     deamon    ....    tmp
drwxr-x---   2    UserA     www        ....    public_html
part of required config :
/etc/php-fpm.d/UserA.conf
Code:
[UserA]
user = $pool
group = $pool
listen = /var/www/run/php-fpm-$pool.sock
listen.owner = www
listen.group = www
listen.mode = 0660
chroot = /var/www
access.log = /var/www/$pool/logs/phpfpm-access-$pool.log
slowlog = /var/www/$pool/logs/phpfpm-slowlog-$pool.log
php_admin_value[session.save_path] = /$pool/tmp
php_admin_value[error_log] = /$pool/logs/php-error-$pool.log
php_admin_value[upload_tmp_dir] = /$pool/tmp
php_admin_value[open_basedir] = /$pool
part of sshd config:
Code:
DisableForwarding yes
Subsystem sftp internal-sftp

Match User UserA
    ChrootDirectory /var/www
    ForceCommand internal-sftp
also database account is separate for each user.

if UserA or UserB login from sftp any thing is secure.
if UserA or UserB run php script any thing is secure.

hmmm is true?

Last edited by jonsec; 21st August 2019 at 02:33 AM.
Reply With Quote
Old 21st August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you for explaining. I believe I understand that:
  • Both PHP pools UserA and UserB run within the same php-fpm instance - using the same TCP socket or TCP connection to the webserver.
  • Both pools also have the same chroot of /var/www.
  • Both pools use the same database engine, without access to the other's data.
I have concerns about data access within the /var/www structure. I am not a PHP programmer, but I assume this means that someone who can run PHP scripts within /var/www can access files within /var/www available to a PHP worker process, which is www:www.

I'm also concerned about denial of service or other forms of interference possible with a shared DBMS and a shared PHP instance.
Reply With Quote
Old 21st August 2019
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default

Quote:
I have concerns about data access within the /var/www structure. I am not a PHP programmer, but I assume this means that someone who can run PHP scripts within /var/www can access files within /var/www available to a PHP worker process, which is www:www.
no. PHP worker process is UserA:UserA or UserB:UserB because set this ownerships in php-fpm pool config for each user.
Reply With Quote
Old 21st August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you for clarifying. I see that now.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Issues with PuTTY + ForceCommand + ChrootDirectory sklv OpenBSD General 6 14th May 2019 02:19 AM
Sftp Bus error: 10 (core dumped) smokem FreeBSD General 0 21st April 2009 12:45 PM
List of users connected by sftp. amscotti OpenBSD General 7 1st April 2009 07:26 PM
PureFTP + TLS / or SFTP plexter OpenBSD Security 11 6th October 2008 10:32 PM
build a sftp server milo974 OpenBSD General 9 26th September 2008 11:09 AM


All times are GMT. The time now is 08:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick