Posted by that0n3guy on July 10, 2010 at 10:28pm
Hey all,
I am wondering what kind of hacking a person could do on a multisite environment if php filter is enabled? Can they access other sites?
If so, isn't this more than a "php filter" issue and also any cck field (since you can do php stuff in their also) is also a hazard?
If there are issues, how do you host many sites on the same aegir server for different users (who want full access to drupal) if they can potentially hack into other sites?
Sorry, thats a load... just thought about it.
-Peter
Comments
Anyone with access to execute
Anyone with access to execute PHP on one of the sites will have the exact same rights as the webserver user on that server. So they'll be able to read pretty much any files in the Drupal root and write to areas like the files folder of any of the sites.
They'll also be able to read the settings.php of each site which contains the mysql database username and password. So they'll essentially have full admin access to any of the other sites within that multisite setup.
See the security concerns paragraph at the end of this page: http://drupal.org/getting-started/6/install/multi-site
Right now in my own setup I trust all of the admin users since I know them personally, but this obviously isn't a solution for everyone. I know that shared hosts have a way to run apache as different users in different document roots so maybe you could do something differently. But then you'll need to create a new platform for each admin user on your setup.
Hi that0n3guy and
Hi that0n3guy and hadsie,
In Aegir, we try to mitigate some of that risk, by actually removing the explicit mysql database credentials from the settings.php. Instead we replace them with environment variables which are read in by the server from the Apache virtualhost config for each site. This means even if an admin user reads the settings.php of another site, they can't see the credentials in that file.
Example snippet from settings.php:
$db_url = "$_SERVER[db_type]://$_SERVER[db_user]:$_SERVER[db_passwd]@$_SERVER[db_host]/$_SERVER[db_name]";
Example snippet from the vhost config:
SetEnv db_type mysqlSetEnv db_name site_208
SetEnv db_user site_208
SetEnv db_passwd somepassword
SetEnv db_host localhost
I agree with basically everything else hadsie says.
In early versions of Aegir, we implemented some logic based on Apache's mod_itk module, allowing site data to be owned by different UIDs on the server. The code was removed, I believe because it was unstable/too hard to maintain, but something like it may return in the future for Aegir, as security is a very significant consideration for us.
The best security measure you can take is caution - don't hand out php filter/admin access to site users you don't trust, if you can help it. If you can't, avoid running multiple sites on the same platform (within the same HTTP document root), and if you can't do that, make sure you keep regular, reliable backups in case something unfriendly occurs.
Thanks for all the info
Thanks for all the info guys.
I'm going to have to rethink some stuff I was planning on doing (fun fun) :P..
Does Aegir support multi-user
Does Aegir support multi-user environments ? With upcoming support of Nginx I would like to see the following setup security-wise:
1) every site should have dedicated unix user
2) all site files should be owned by that user.
3) settings.php should be readable by the owner only, which should make stealing DB passwords impossible
4) php (and nginx workers) should run in fcgi mode using that user (thanks to php-fpm)
5) Ideally, all files should readable by the site user only. That should make impossible to use a vulnerability in one site to upload backdoor php code, and execute the code on other sites. In multisite environments, only shared Drupal core files and modules should be globally readable.