Securing a shared lighttpd setup

Question

(Yes, I know that questions pertaining to lighttpd fit better on SF, but I thought it was more apt to be asked here since it's primarily concerned with security policy.)

We're planning to set up a small web server in my college, so that people could get some web space to put up web pages and the like. They could also upload PHP pages. The whole setup runs from within a chroot jail.

We are thinking about using the same infrastructure to put up some more services, for instance a discussion forum. My problem is, putting the forum in the same document root (or indeed, the same chrooted environment) pretty much allows any user to place small PHP scripts in their directories that can access the forum configuration files (using, say, file_get_contents). This is a massive security risk! Is there any way to solve this issue, short of disabling PHP for the user accounts, and only keeping it enabled for the discussion forum and the like, or serve the forum elsewhere and proxy it using lighttpd?

I doubt setting ownerships/permissions would do anything to fix this, since, the way I see it, the PHP FastCGI process is spawned by the web server, and hence, any page that can be accessed by the server (they all must be, seeing how it is the server that must ultimately serve them) can be accessed by the PHP scripts uploaded by a user.

Any help would be appreciated!

Answer 1

Well, a few points.

First off, while Lighttpd is GREAT for high performance needs, it was not designed to be used in a shared host setting. Apache would likely be the better choice for that, since it supports things like .htaccess...

Secondly, PHP does not need to be run as the same user as Lighttpd. You can use the spawn_fcgi program to launch each fastcgi listener as the user of that website. You would declare a fastcgi backend for each virtual host. Note, that you likely won't be able to use any of the built in vhost modules (simple_vhost, etc). Simply use the regular expression matching:

Either by IP and Port:

$SERVER["socket"] == "127.0.0.2:80" {
    fastcgi.server = (
        ".php" => (
            "username" => (
                "socket" => "/tmp/user_php.fastcgi",
            )
        )
    )
)

Or by host name:

$HTTP["host"] =~ "example\.com" {
    # ...
}

You would likely need to modify the init script to also execute spawn_fcgi to launch the php processes for each user.

Answer 2

Each user needs to have its own Linux user account. Then you need to use SuPHP+LightHTTPD to make sure that the php code is run with the privileges of that user. Next you should make sure that all files are owned by the correct user and chmod 700 or chmod 500 (best for .php files). The last 2 zeros in the chmod, along with suphp makes it such that users cannot file_get_contents() each others files.