[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 5 commits: share/debian-edu-config/tools/setup-freeradius-server: Fix integer comparison...
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Wed Jan 19 20:24:21 GMT 2022
Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config
Commits:
0fbdc920 by Mike Gabriel at 2022-01-14T22:50:33+01:00
share/debian-edu-config/tools/setup-freeradius-server: Fix integer comparison in run-by-root check. Script was not executable fully (not even as root).
- - - - -
dee8b9df by Mike Gabriel at 2022-01-15T23:20:31+01:00
etc/apache2/mods-available/debian-edu-userdir.conf: White-space cleanup (tabs and spaces mixed).
- - - - -
4d39a588 by Mike Gabriel at 2022-01-15T23:22:04+01:00
etc/apache2/mods-available/debian-edu-userdir.conf: Disable built-in PHP engine.
- - - - -
760d450c by Mike Gabriel at 2022-01-19T21:20:00+01:00
README.public_html_with_PHP-CGI+suExec.md: Provide documentation on how to enable suExec support in https userdirs (i.e. ~/public_html).
- - - - -
6bd42c5e by Mike Gabriel at 2022-01-19T21:22:40+01:00
etc/apache2/mods-available/debian-edu-userdir.conf: Add warning to not re-enable PHP interpretation in user dirs (with reference to our README).
- - - - -
5 changed files:
- Makefile
- + README.public_html_with_PHP-CGI+suExec.md
- debian/changelog
- etc/apache2/mods-available/debian-edu-userdir.conf
- share/debian-edu-config/tools/setup-freeradius-server
Changes:
=====================================
Makefile
=====================================
@@ -238,6 +238,7 @@ install: install-testsuite
done
$(INSTALL_DATA) README $(DESTDIR)$(docdir)/README
+ $(INSTALL_DATA) README.public_html_with_PHP-CGI+suExec.md $(DESTDIR)$(docdir)/README.public_html_with_PHP-CGI+suExec.md
set -e ; for cf3 in $(CF3FILES); do \
$(INSTALL_DATA) cf3/$$cf3 $(DESTDIR)$(cf3dir)/$$cf3; \
=====================================
README.public_html_with_PHP-CGI+suExec.md
=====================================
@@ -0,0 +1,137 @@
+# Debian Edu and PHP scripts in ~/public_html
+
+This is about the Apache2 configuration on the Debian Edu mainserver (aka
+``tjener.intern``).
+
+## Security Notices and Warnings
+
+The configuration file
+``/etc/apache2/mods-available/debian-edu-userdir.conf`` disables the
+Apache2 built-in PHP support for PHP scripts in user directory (i.e. in
+web pages served via ~/public_html).
+
+This is for a reason, as Apache2's default system account ``www-data``
+has certain privileges on the Debian Edu main-server that we don't want to
+expose to arbitrary code in some ``~/public_html`` directory.
+
+If people shall be able to execute PHP (or other CGI scripts) from
+``~/public_html`` for studying purposes, then they should be executed
+with the script file owner's user privileges.
+
+Do not use this method if it is not required to interpret PHP code from
+within ~/public_html directories. This method (opposed to Apache2's
+built-in PHP support) exposes user home directories to data manipulation
+risks (in case users create bad code in their ~/public_html scripts).
+Also, this method turns Apache2's PHP interpretation into some rather
+performance wasting mode (libapach2-mod-phpX -> phpX-cgi).
+
+## Test built-in PHP
+
+Here is a simply PHP script for testing proper interpretation and
+checking that the suExec'ing really works
+
+```
+<?php
+
+print "hello, this script runs as user '";
+system("id -u -n");
+print "'<br>";
+
+?>
+```
+
+Place this script as e.g. ~/public_html/id.php into your HOME directory and
+make sure that everyone can access this file. A restrictive permission example
+is this:
+
+```
+<user>@tjener:~/public_html$ ls -al
+insgesamt 12
+drwx-----x 2 <user> <primgroup> 4096 19. Jan 20:35 .
+drwx-----x 20 <user> <primgroup> 4096 19. Jan 20:35 ..
+-rw----r-- 1 <user> <primgroup> 90 19. Jan 20:35 id.php
+```
+
+Now edit /etc/apache2/mods-available/debian-edu-userdir.conf on TJENER and
+set ``php_admin_flag engine on``.
+
+When opening the URL ``http://www.intern/~<user>/id.php`` it should show this simple web page:
+
+```
+hello, this script runs as user 'www-data '
+```
+
+As enabling the built-in PHP engine (running as user www-data) is
+considered insecure on the Debian Edu main-server (aka TJENER), here
+follows the promised alternative setup.
+
+## Enable PHP CGI with suExec
+
+Install Apache2, PHP, suExec and support for executing pseudo-binaries.
+
+```
+<user>@tjener:~/public_html$ sudo apt-get install apache2-suexec-pristine php-cgi binfmt-support
+```
+
+Configure PHP to run ``.php`` scripts from the shell.
+
+```
+<user>@tjener:~/public_html$ sudo update-binfmts --install PHP /usr/bin/php-cgi --extension php
+```
+
+Enable the necessary suExec Apache module:
+
+```
+<user>@tjener:~/public_html$ sudo a2enmod suexec
+```
+
+Re-configure the ``debian-edu-userdir.conf`` module as follows:
+
+```
+--- a/etc/apache2/mods-available/debian-edu-userdir.conf
++++ b/etc/apache2/mods-available/debian-edu-userdir.conf
+@@ -8,6 +8,12 @@
+ # Read /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI.md
+ php_admin_flag engine off
+
++ Options +ExecCGI
++ <FilesMatch "\.php$">
++ SetHandler cgi-script
++ SetEnv REDIRECT_STATUS 1
++ </FilesMatch>
++
+ AllowOverride FileInfo AuthConfig Limit
+ Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+ <Limit GET POST OPTIONS>
+```
+
+Reload the Apache configuration.
+
+```
+<user>@tjener:~/public_html$ sudo /etc/init.d/apache2 force-reload
+```
+
+## User Permissions on userdir PHP files
+
+Finally, userdir PHP scripts in ``~/public_html`` must not be writeable
+by group or others. If otherwise, their execution gets blocked by
+Apache2.
+
+Also, their executable bit must be set.
+
+See example below:
+
+```
+<user>@tjener:~/public_html$ find ~/public_html -name "*.php" -exec chmod 0700 {} \;
+```
+
+This will turn our ``~/public_html`` test directory to:
+
+```
+<user>@tjener:~/public_html$ ls -al
+insgesamt 12
+drwx-----x 2 <user> <primgroup> 4096 19. Jan 20:35 .
+drwx-----x 20 <user> <primgroup> 4096 19. Jan 20:35 ..
+-rwx------ 1 <user> <primgroup> 90 19. Jan 20:35 id.php
+
+```
=====================================
debian/changelog
=====================================
@@ -10,6 +10,9 @@ debian-edu-config (2.12.16) UNRELEASED; urgency=medium
* MATE screensaver: Offer "logout user" button on screensaver dialog after
40min of inactivity and allow other users to salvage a workstation from
an idle user (session).
+ * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
+ comparison in run-by-root check. Script was not executable fully (not even
+ as root).
-- Mike Gabriel <sunweaver at debian.org> Fri, 14 Jan 2022 22:21:27 +0100
=====================================
etc/apache2/mods-available/debian-edu-userdir.conf
=====================================
@@ -1,16 +1,21 @@
<IfModule mod_userdir.c>
- UserDir public_html
- UserDir disabled root
+ UserDir public_html
+ UserDir disabled root
+
+ <Directory /skole/*/home*/*/public_html>
+
+ # Do not enable the built-in PHP engine here...
+ # Read /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI.md
+ php_admin_flag engine off
+
+ AllowOverride FileInfo AuthConfig Limit
+ Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
- <Directory /skole/*/home*/*/public_html>
- AllowOverride FileInfo AuthConfig Limit
- Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Require all granted
</Limit>
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>
- </Directory>
+ </Directory>
</IfModule>
-
=====================================
share/debian-edu-config/tools/setup-freeradius-server
=====================================
@@ -28,7 +28,7 @@ echo "-------------------------------------------------------------------------"
fi
# Check execute permission.
-if [ ! -d $DIRNAME ] && [ $(id -u) > 0 ]; then
+if [ ! -d $DIRNAME ] && [ $(id -u) -gt 0 ]; then
echo "Please run $0 as root or use sudo, exiting."
exit 0
fi
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/10345d0f6d55a0982f08b74160d28e9ac743c4fc...6bd42c5ef8abf415d331d3f135295357d24746d8
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/10345d0f6d55a0982f08b74160d28e9ac743c4fc...6bd42c5ef8abf415d331d3f135295357d24746d8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220119/78f57371/attachment-0001.htm>
More information about the debian-edu-commits
mailing list