06 February 2008

suphp fix for nfs root squash

At work I was given the task of setting up our replacement webserver. We have a system set up so that all of our users have linux accounts and home directories with webspace. The home directories are stored over NFS on a fileserver separate from the webserver. Naturally we need a way to keep our users from running php scripts that can access other users files so we opted to use suphp.

The only problem with suphp is that in order to check your php script's ownership, it has to stat the file first and because it is setuid root. Our nfs server has a root squash policy, so obviously suphp isn't going to be able to stat those files before it sets the uid and gid to the permissions of the script file.

In order to work around this problem you have to add just a few lines of code that set the real, effective and saved user id (setresuid) to a user that has permissions on all the users web files, but isn't root. For us, that is our apache user. So we do a series of setresuid(www-data) and setresuid(0) to switch back and forth between the apache-user and root to do the different operations with the correct permissions.

We also would like a similar setup for cgi scripts. This can be achieved simply by using the suexec module for apache with userdirs enabled.

No comments:

Post a Comment