Correctly set php-fpm child users, improve site security anti-hanging horse

According to the production environment of continuous feedback, found continued hanging of PHP Web Trojans, most of the reason for this is because permissions are not set reasonable cause. Because the server software, or vulnerability exists in the PHP program is inevitable, in this case, if properly set directory permissions of the Linux, PHP processes right, then the site’s security is actually guaranteed.

So, what reasons caused hang Trojans?

FTP connection information compromised, and for this reason, viable option is to use a very complicated FTP user name (do not use a common user name), if it is a fixed job, consider using source IP iptables firewall restrictions. Under some scenarios, you may need to use VPN for remote maintenance. That webmasters need to modify Web site using the FTP file, you must first login to IDC machine room of the VPN server, then for subsequent operations.

Web server software/configuration vulnerability exists in/PHP programs, being used in discussing this question, several concepts first description file and process privileges:

Modify permissions on the FTP users to the Web site directory has the most, then the files must belong to the owner of the site FTP, this is without a doubt, or how to modify files?

PHP-fpm process, Nginx processes file needs to have at least read access to the Web site, for example, use the following command to view these two processes account:

php-fpm-security1

php-fpm-security2

Through the above, we can see that nginx and PHP-fpm the child account is nobody.

We check website file permissions on the directory:

php-fpm-security3

Find file owner is www account, then:

Nginx and PHP only has read permissions to the Web site without written permission
If PHP procedures need some file has write permissions to the Web site, you need to manually modify permissions for a file or directory to 777
Because PHP-fpm process is running in nobody, then PHP-fpm the resulting new file owner is nobody, then FTP users cannot modify these files, Bell need to end it, when the generated php file, call the chmod (“/somedir/somefile”, 0777) to modify the file permissions to 777 in order to FTP user can modify the file.
Often developers find I request permission to reset the PHP file that is generated.
If the file owner user runs the Web site PHP-fpm child process, that means that the PHP-fpm process for the entire site directory have write permissions, the nightmare begins.

But we have found that many system administrators in order to save time, violates the principle of minimizing Linux permissions, set the PHP-fpm process running in site owners account, so that PHP developers may of course (PHP-fpm process for the entire site directory have write permissions), but this Linux file system permissions of the system principle will be broken, and all security measures will be useless. You can imagine is, if PHP procedures have vulnerabilities, the attacker upload Trojans, you can modify all the files of the site, website Home is black, it is not surprising.

Take a step back, if we set more restrictive permissions if PHP vulnerabilities in your program, then an attacker can tamper with the directory permissions to 777, other files are not overwritten, site does not have a safer yet?

Core summary: PHP-fpm the process used by the user, not a site owner. Any deviation from this principle, is inconsistent with the principle of least privilege.

After I see the Internet about nginx, PHP-fpm configuration articles, tutorials, and books on the market, found that many people are misled by these articles, PHP-fpm child processes run in site owners account directly, such as Zhang Yan of the real high-performance Web server nginx instead of Apache in a 52-page book, there are the following settings:

www www

Official profile, PHP-fpm child process using the nobody user, it is entirely reasonable, and needed to be changed.

Then nginx processes a user, how to set? My suggestion is that nobody (no effect on error log is written), set as follows:

Nginx.conf file the first line is set to user nobody; , You can then perform the reload.

PHP-fpm child processes user settings:

Edit the file php-fpm.conf (located in the/usr/local/PHP/etc/php-fpm.conf installation parameters for), both user and group parameters defined, set it to nobody (default is nobody), and then restart the PHP-fpm process.

Site directory special note

Here to write, is relatively PHP-fpm to the child process. A website is most likely security issues is a writable directory, if writable directory permissions can control, safety factors will greatly increase. We believe that a website a writable directory is divided into the following:

List of PHP data caching, as forumdata discuz directory, storing large amounts of data cache files. Generally do not allow users direct access to such directories, but discuz in this directory and store a lot of js, CSS files, we cannot simply deny the user access to that directory. Obviously, all of the files in this directory, not directly to the PHP parsing, we will give you the solution.
Attachment upload directory. Obviously this list would need open access, but cannot be handed over to the PHP engine parse (that is, all the files in this directory are treated as ordinary static files).
Static files directory, all files under this directory should be treated as static files.
Log directory, typically denying users direct access to it.

That is for Web site developers, writable directory needs to achieve separation, different files, should be treated differently, which is convenient for system administrators, set reasonable rules of nginx, to increase security.

Simply remove the PHP file execute permissions, do not prevent parsing of the PHP-fpm process.

Next, according to the above summary, list of system administrators how to configure nginx rules, more secure?

/Cache/data cache directory, this directory is the need 777 permissions, users can access them without, can be configured in the following reference nginx

location ~ “^/cache” {
return 403;
}

location ~ “.php$” {
fastcgi_pass 127.0.0.0:9000;
………………..
}
At this point, any user can not access the / cache / directory contents.

Accessory attachments upload directory

Features of this directory is need to open access, but can not resolve all the files from the php engine (including name suffix Trojan gif file)

location ~ “^/attachments” {
}

location ~ “.php$” {
fastcgi_pass 127.0.0.0:9000;
………………..
}

Note that, on the face of attachments directory location is no definition statement. location matching the highest priority, any use regular expressions to define the location nginx regular expression, as long as match time, other location will no longer match the regular expression definitions.

Now, create a directory in php script file attachments, and then access security through the browser, we found that the browser prompts to download, indicating that the file attachments nginx directory as static file handling, and not handed over to php fastcgi process. So even if a writable directory is implanted Trojan, but because it can not be executed, the site will be more safe.

 

Obviously, it is important php configuration file, do not put under such directories.

Static file generation directory public

These directories are usually stored directory php generated static pages, clearly and accessories catalog were similar, according to annex directory permissions settings. It is foreseeable that, if we set a more restrictive permission, even if the site php program vulnerabilities, Trojan script can only be written to the directory permissions to 777 to go, if the directory with the above strict access control, Trojans can not triggered operation, safety of the entire system will be significantly improved obviously.

But the site role and writable directory permissions, only developers most clearly. This aspect needs php developers and system administrators to actively communicate. The way we use are: front-line projects, developers according to the document in the form of writable directories provide web role and authority, set up by the system administrator privileges for different directories. Either modify the site directory permissions, but reflected in the document, we believe is a violation of the workflow.

Leave a Reply

Your email address will not be published. Required fields are marked *