New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This is why cagefs was created. Separating doens't do anything. Shells scripts can still be used.
Well... there is file/directory ownership and permissions.
If one user is able to write into another user's home directory... that's kind of a permission issue.
(Assuming you are talking about Linux)
Back in the day before suPHP came out. Everything was running as apache. Which caused a whole lot of issues with mass defacing.
Well, as you say, that was back in the day.
Is anybody running PHP or CGI as the shared webserver user on shared hosting accounts these days? If so... then that's probably something you want to look into changing.
@yokowasis
Perhaps not, but it isn't entirely difficult to setup "relatively secure" jails on your own. This usually means:
The setup of this jail should be done in an area that the user cannot access and have the appropriate permissions set before copying the files over to the user's home directory, then setting up an SSH (and/or SFTP) jail. For the web server, you can use Apache or NGINX and setup a private PHP-FPM process for each user and lock the process in the jail, or use something like suPHP.
Another option is storing all configuration files and executables outside of the user directory and using a read-only mount into the user's home area.
(The idea here is to provide as much separation as possible without actually setting up HAProxy and containers, but even this is an option too)
Hence the title. Looking for control panel / lamp script that has jailed functionality. I host a lot of wordpress sites to my clients. One or two of them bound to get their wordpress hacked.
Setup synthetic jails with a layered filesystem such as OverlayFS or aufs. Use systemd to spawn a jailed PHP-FPM service on socket activation, then further restrict device access and capabilities.
It's not difficult to achieve, but most of the logic is rooted in lore.