[debian-edu-commits] [Git][debian-edu/debian-edu-config][bullseye] 11 commits: etc/apache2/mods-available/debian-edu-userdir.conf: White-space cleanup (tabs and spaces mixed).

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Fri Feb 11 15:48:38 GMT 2022



Mike Gabriel pushed to branch bullseye at Debian Edu / debian-edu-config


Commits:
bf4416cc by Mike Gabriel at 2022-01-19T18:33:03+01:00
etc/apache2/mods-available/debian-edu-userdir.conf: White-space cleanup (tabs and spaces mixed).

(cherry picked from commit dee8b9df0fc936cf4407dead72b6d7205b065e70)

- - - - -
1c06c8a0 by Mike Gabriel at 2022-01-19T18:33:18+01:00
etc/apache2/mods-available/debian-edu-userdir.conf: Disable built-in PHP engine.

(cherry picked from commit 4d39a5888d193567704238f8c035f8d17cfe34e5)

- - - - -
1c45cf37 by Mike Gabriel at 2022-01-19T21:23:38+01:00
README.public_html_with_PHP-CGI+suExec.md: Provide documentation on how to enable suExec support in https userdirs (i.e. ~/public_html).

(cherry picked from commit 760d450c6f2504a9d2c43298b2398697fa20cfe5)

- - - - -
2ac9a241 by Mike Gabriel at 2022-01-19T21:23:44+01:00
etc/apache2/mods-available/debian-edu-userdir.conf: Add warning to not re-enable PHP interpretation in user dirs (with reference to our README).

- - - - -
668538e0 by Mike Gabriel at 2022-01-19T21:36:13+01:00
README.public_html_with_PHP-CGI+suExec.md: Some fine-tuning of the wording.

- - - - -
77ceb4a3 by Mike Gabriel at 2022-01-19T21:38:55+01:00
debian/changelog: update from Git history

- - - - -
f5988a0f by Mike Gabriel at 2022-02-03T08:25:08+01:00
d/changelog: Attribute PHP engine disablement with CVE-2021-20001.

- - - - -
ed0dca83 by Mike Gabriel at 2022-02-04T13:15:02+01:00
debian/NEWS: Add file, inform about PHP being disabled in Apache2 user directories.

- - - - -
b049aa92 by Mike Gabriel at 2022-02-04T13:17:55+01:00
debian/NEWS: amend typo fixes

- - - - -
967bbb20 by Mike Gabriel at 2022-02-07T16:11:12+01:00
upload to bullseye-security (debian/2.11.56+deb11u3)

- - - - -
a9e805a6 by Mike Gabriel at 2022-02-11T16:48:19+01:00
Merge branch 'bullseye-security' into bullseye

- - - - -


5 changed files:

- Makefile
- + README.public_html_with_PHP-CGI+suExec.md
- + debian/NEWS
- debian/changelog
- etc/apache2/mods-available/debian-edu-userdir.conf


Changes:

=====================================
Makefile
=====================================
@@ -241,6 +241,7 @@ install: install-testsuite
 	done
 
 	$(INSTALL_DATA) README $(DESTDIR)$(docdir)/README
+	$(INSTALL_DATA) README.public_html_with_PHP-CGI+suExec.md $(DESTDIR)$(docdir)/README.public_html_with_PHP-CGI+suExec.md
 
 	set -e ; for cf3 in $(CF3FILES); do \
 		$(INSTALL_DATA) cf3/$$cf3 $(DESTDIR)$(cf3dir)/$$cf3; \


=====================================
README.public_html_with_PHP-CGI+suExec.md
=====================================
@@ -0,0 +1,144 @@
+# Debian Edu and PHP scripts in ~/public_html
+
+This is about the Apache2 configuration on the Debian Edu mainserver (aka
+``tjener.intern``).
+
+## Security Notices and Warnings
+
+The configuration file
+``/etc/apache2/mods-available/debian-edu-userdir.conf`` disables the
+Apache2 built-in PHP support for PHP scripts in user directory (i.e. in
+web pages served via ~/public_html).
+
+This is for a reason, as Apache2's default system account ``www-data``
+has certain privileges on the Debian Edu main-server that we don't want to
+expose to arbitrary code in some ``~/public_html`` directory.
+
+If people shall be able to execute PHP (or other CGI scripts) from
+``~/public_html`` for studying purposes, then they should be executed
+with the script file owner's user privileges.
+
+Do not use this method if it is not required to interpret PHP code from
+within ~/public_html directories. This method (opposed to Apache2's
+built-in PHP support) exposes user home directories to data manipulation
+risks (in case users create bad code in their ~/public_html scripts).
+Also, this method turns Apache2's PHP interpretation into some rather
+performance wasting mode (libapach2-mod-phpX -> phpX-cgi).
+
+## Test built-in PHP
+
+Here is a simple PHP script for testing PHP interpretation privileges and
+checking later on that the suExec'ing really works:
+
+```
+<?php
+
+print "hello, this script runs as user '";
+system("id -u -n");
+print "'<br>";
+
+?>
+```
+
+Place this script as e.g. ~/public_html/id.php into your HOME directory and
+make sure that everyone can access this file. A restrictive permission example
+is this:
+
+```
+<user>@tjener:~/public_html$ ls -al
+insgesamt 12
+drwx-----x  2 <user> <primgroup> 4096 19. Jan 20:35 .
+drwx-----x 20 <user> <primgroup> 4096 19. Jan 20:35 ..
+-rw----r--  1 <user> <primgroup>   90 19. Jan 20:35 id.php
+```
+
+Now edit /etc/apache2/mods-available/debian-edu-userdir.conf on TJENER and
+set ``php_admin_flag engine on``.
+
+When opening the URL ``http://www.intern/~<user>/id.php`` it should show this simple web page:
+
+```
+hello, this script runs as user 'www-data'
+```
+
+As enabling the built-in PHP engine (running as user www-data) is
+considered insecure on the Debian Edu main-server (aka TJENER), here
+follows the promised alternative setup.
+
+## Enable PHP CGI with suExec
+
+Install Apache2, PHP, suExec and support for executing pseudo-binaries.
+
+```
+<user>@tjener:~/public_html$ sudo apt-get install apache2-suexec-pristine php-cgi binfmt-support
+```
+
+Configure PHP to run ``.php`` scripts from the shell.
+
+```
+<user>@tjener:~/public_html$ sudo update-binfmts --install PHP /usr/bin/php-cgi --extension php
+```
+
+Enable the necessary suExec Apache module:
+
+```
+<user>@tjener:~/public_html$ sudo a2enmod suexec
+```
+
+Re-configure the ``debian-edu-userdir.conf`` module as follows:
+
+```
+--- a/etc/apache2/mods-available/debian-edu-userdir.conf
++++ b/etc/apache2/mods-available/debian-edu-userdir.conf
+@@ -8,6 +8,12 @@
+                # Read /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI.md
+                php_admin_flag engine off
+ 
++               Options +ExecCGI
++               <FilesMatch "\.php$">
++                       SetHandler cgi-script
++                       SetEnv REDIRECT_STATUS 1
++               </FilesMatch>
++
+                AllowOverride FileInfo AuthConfig Limit
+                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+                <Limit GET POST OPTIONS>
+```
+
+Reload the Apache configuration.
+
+```
+<user>@tjener:~/public_html$ sudo /etc/init.d/apache2 force-reload
+```
+
+## User Permissions on userdir PHP files
+
+Finally, userdir PHP scripts in ``~/public_html`` must not be writeable
+by group or others. If otherwise, their execution gets blocked by
+Apache2.
+
+Also, their executable bit must be set.
+
+See example below:
+
+```
+<user>@tjener:~/public_html$ find ~/public_html -name "*.php" -exec chmod 0700 {} \;
+```
+
+This will turn our ``~/public_html`` test directory to:
+
+```
+<user>@tjener:~/public_html$ ls -al
+insgesamt 12
+drwx-----x  2 <user> <primgroup> 4096 19. Jan 20:35 .
+drwx-----x 20 <user> <primgroup> 4096 19. Jan 20:35 ..
+-rwx------  1 <user> <primgroup>   90 19. Jan 20:35 id.php
+
+```
+
+When opening the URL ``http://www.intern/~<user>/id.php`` now, it should
+show the owning user as account this script has been run under:
+
+```
+hello, this script runs as user '<user>'
+```


=====================================
debian/NEWS
=====================================
@@ -0,0 +1,15 @@
+debian-edu-config (2.11.56+deb11u3) bullseye-security; urgency=medium
+
+    CVE-2021-20001: For mitigating potential privilege escalations that
+    could be caused by malicious PHP scripts in Apache2-accessible user
+    directories (i.e. PHP files placed into ~/public_html) on the Debian
+    Edu mainserver, the PHP engine is now disabled for Apache2 user
+    directories (see /etc/apache2/mods-enabled/debian-edu-userdir.conf).
+
+    However, if PHP functionality is required for Apache2 user directories
+    for educational purposes, an alternative configuration approach is provided
+    in:
+
+    /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI+suExec.md
+
+ -- Mike Gabriel <sunweaver at debian.org>  Fri, 04 Feb 2022 12:14:05 +0100


=====================================
debian/changelog
=====================================
@@ -1,4 +1,4 @@
-debian-edu-config (2.11.56+deb11u3) UNRELEASED; urgency=medium
+debian-edu-config (2.11.56+deb11u4) UNRELEASED; urgency=medium
 
   [ Wolfgang Schweer ]
   * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
@@ -14,6 +14,21 @@ debian-edu-config (2.11.56+deb11u3) UNRELEASED; urgency=medium
 
  -- Mike Gabriel <sunweaver at debian.org>  Fri, 14 Dec 2021 22:21:50 +0100
 
+debian-edu-config (2.11.56+deb11u3) bullseye-security; urgency=medium
+
+  * etc/apache2/mods-available/debian-edu-userdir.conf:
+    - White-space cleanup (tabs and spaces mixed).
+    - CVE-2021-20001: Disable built-in PHP engine.
+    - Add warning to not re-enable PHP interpretation in user dirs (with
+      reference to our README).
+  * README.public_html_with_PHP-CGI+suExec.md:
+    - Provide documentation on how to enable suExec support in Apache2 user
+      directories (i.e. ~/public_html).
+  * debian/NEWS:
+    + Add file, inform about PHP being disabled in Apache2 user directories.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Fri, 04 Feb 2022 13:19:51 +0100
+
 debian-edu-config (2.11.56+deb11u2) bullseye; urgency=medium
 
   [ Mike Gabriel ]


=====================================
etc/apache2/mods-available/debian-edu-userdir.conf
=====================================
@@ -1,16 +1,21 @@
 <IfModule mod_userdir.c>
-        UserDir public_html
-        UserDir disabled root
+	UserDir public_html
+	UserDir disabled root
+
+	<Directory /skole/*/home*/*/public_html>
+
+		# Do not enable the built-in PHP engine here...
+		# Read /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI.md
+		php_admin_flag engine off
+
+		AllowOverride FileInfo AuthConfig Limit
+		Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
 
-        <Directory /skole/*/home*/*/public_html>
-                AllowOverride FileInfo AuthConfig Limit
-                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
 		<Limit GET POST OPTIONS>
 			Require all granted
 		</Limit>
 		<LimitExcept GET POST OPTIONS>
 			Require all denied
 		</LimitExcept>
-        </Directory>
+	</Directory>
 </IfModule>
-



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/bb669429dc3c803a64adeae3b1496f869dca7f38...a9e805a67f0d740022c4914aba9f135f380ddef5

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/bb669429dc3c803a64adeae3b1496f869dca7f38...a9e805a67f0d740022c4914aba9f135f380ddef5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220211/dee466dc/attachment-0001.htm>


More information about the debian-edu-commits mailing list