Accurately set PHP-FPM child process users to improve website security to prevent the Trojans from being hung

Correctly set PHP-FPM child process user to improve website security prevent being hanged Trojan

Core Summary: The user that thephp-fpm child process uses cannot be the site file owner. Any violation of this principle does not conform to the principle of least privilege.

?

based on continuous feedback from the production environment, we found PHP website is hung Trojan, most of the reason is because the permissions set unreasonable. Because the server software, or PHP programs in the presence of loopholes are unavoidable, in this case, if you can correctly set the Linux Site Directory permissions,php process permissions, the security of the Web site can actually be guaranteed.

?

So, what causes the website to be hanged Trojan?

?

1.FTP　 connection information is cracked, for this reason, the possible way is to use a very complex ftp user name (do not use the common user name), if it is a fixed job, you can consider using The iptables firewall restricts the source IP.　However, in some scenarios, you may need to use a VPN for remote maintenance. That is, site maintainers need to use FTP to modify the site files, you must first log on to the IDC room VPN Server, And then proceed with the subsequent operation.

?

2. Web Server Software / configuration /php programs are vulnerable, exploited
Before discussing this issue, describe several concepts of file and process permissions :

A.? The FTP user has the most modification permission to the website directory, then the website's file owner must belong to the FTP, This is undoubtedly ,? Otherwise how to modify the file?

B.? php-fpm process,thenginx process must have at least Read permission to the Web site file, for example, the following command to view the accounts used by the two processes:

Through, we can find thatnginx and php-fpm Sub-process account is nobody.

?

We then check the permissions of the Web site file directory:

Find website file owner is www account, that means:

|? nginx and php have only read access to the Web site, no write permission

l? if the PHP program requires write access to some of the site's files, you need to manually modify the file or directory permissions to 777

l? because the php-fpm child process is running in nobody , The new file owner that PHP-FPM generates is also Nobody, huh? At this FTP users will not be able to modify these files, and the bell needs to be PHP after the file is generated, you need to call chmod ("/somedir/somefile",? 0777) Modify the file permissions to 777 , so that FTP The user can also modify this file.

l? There are often developers who ask me for permission to reset php -generated files.

?

l? if the php-fpm child process runs as a Web site file owner user, that means that the php-fpm process has writable permissions to the entire site directory, and the nightmare begins.

?

However, we found that there are many system administrators in order to save trouble, violating the principle of Linux Minimize permissions, set up the php-fpm process to run the site file owner account, of course, this may be convenient PHP Developers ( PHP-FPM The process has writable permissions on the entire site directory), but Linux The system's filesystem privilege principle will be broken, and all security measures will be in the form of a dummy. As you can imagine, If there is a loophole in the PHP program, the attacker can upload a Trojan horse, it will be able to modify all the files on the site, the homepage is black, it is not surprising.

?

Step back, if we set stricter permissions, even if there is a bug in the PHP program, then the attacker can only tamper with permissions to 777 directory, the other files can not be rewritten, the site is more secure?

?

Core Summary: The user that thephp-fpm child process uses cannot be the site file owner. Any violation of this principle does not conform to the principle of least privilege.

?

After I read the online about nginx,?php-fpm Configuration of the article tutorial and some books on the market, found that many people are misled by these articles, directly let the php-fpm Sub-process to the site owner account to run, For example, Zhang Yi's "actual nginx? " Replace Apache of high-performance Web Server "book the page, the following settings are present:

Www

Www

on page P , the site file owner is also a www User:

Chown?-r?www:www?/data0/htdocs/blog

Obviously, this part of the book is misleading for beginners, and in response to this problem, I have sent an e-mail to the author of this book in the hope that it can be emphasized in the second edition, so as to avoid some security risks due to excessive and loose permission configuration.

?

In the official provisioning profile, thephp-fpm child process uses the nobody user, which is entirely reasonable and does not need to be modified.

?

So nginx Child process user, how to set reasonable? My advice is also to use nobody(no impact on error log writes, etc.), set the method as follows:

the first line of the nginx.conf file is set to user???? Nobody;?,? re-execute Nginx?-s?reload can be.

?

PHP-FPM Child Process User Setting method:

Edit File php-fpm.conf(typically located in /usr/local/php/etc/php-fpm.conf,? Depending on the installation parameters), locate User , Group two parameter definitions, set it to nobody ( default is already nobody), and restart php-fpm Process can be.

?

?

Special attention to the website's writable catalogue

The writable here is relative to the php-fpm child process. A Web site is the most vulnerable to the security problem is the writable directory, if the writable directory permissions can be controlled strictly, the safety factor will be greatly improved.

We believe that a Web site can be written in the following categories mainly:

1.thePHP data cache directory, such as the forumdata directory of Discuz , stores a large number of data cache files. Such directories generally prohibit users from direct access, but discuz in this directory and store a lot of js,?css files, we can not simply deny users access to this directory. Obviously, all the files in this directory cannot be given directly to PHP , and we'll give you a solution later. 　

2. Upload the contents of the attachment. It is clear that such directories require access but cannot be parsed by the PHP engine (that is, all files in this directory are treated as normal static files).

3. static file generation directory, files in such directories should all be treated as static files.

4. The log directory will generally deny direct access to the user.

?

That is to say, for Web site developers, the need for writable directory to achieve static and dynamic separation, different performance of the file, should be treated differently, so it is convenient for system administrators, set reasonable nginx rules to improve security.

?

Simply removing the php File Execution permission does not prevent the php-fpm process from parsing.

?

Next, based on the above summary, how can the system administrator configure nginx directory rules to be more secure?

1. data cache directory? /cache/
This directory is characterized by the need for 777 permissions, no need to provide user access, then you can configure Nginx according to the following reference

Location?~? " ^/cache "? {

return?403;

}

?

Location?~? " \.php$ "? {

fastcgi_pass?127.0.0.0:9000;

....................

}

?

At this point, no user will be able to access the /cache/ directory content, even if

2. attachment upload directory? Attachments

This directory is characterized by the need for open access, but all files cannot be parsed by the PHP engine (including the suffix name to gif trojan file)

Location?~? " ^/attachments "? {

?

}

?

Location?~? " \.php$ "? {

fastcgi_pass?127.0.0.0:9000;

....................

}

?

Note that there is no statement in the location definition for the attachments directory above. Nginx has the highest priority for location matching of regular expressions , any location defined with a regular expression . once matched, the other regular expression definitions will no longer match the Location .

?

Now, please create a php script file in the attachments directory , and then visit Ann through the browser, we found that the browser prompts to download, indicating that nginx The file under the attachments directory is treated as a static file and is not handed to php?fastcgi for processing. So even if the writable directory is planted Trojan, but because it can not be executed, the site is more secure.

?

Obviously, important php configuration files should not be placed under this category.

?

3. static file generation directory? Public
These directories are usually saved directories of the static pages generated by PHP, apparently similar to the attachments directory, by the permissions set in the attachment directory.

Predictably, if we set more stringent permissions, even if the website PHP program has a loophole, Trojan script can only be written to the permissions of the 777 directory, If combined with the above strict directory permissions control, Trojan can not be triggered to run, the overall system security will obviously be significantly improved.

?

But the site can write the role of directory and permissions, only developers are most clear. This requires active communication between PHP developers and system administrators. The way we use it is: Before the project goes live, the developer provides the role and permissions of the Web site writable directory as a document, and the system administrator sets the permissions for the different directories. Either party modifies the site Directory permissions, but does not reflect the documentation, which we consider to be a violation of the work flow.

