Reputation: 382
Prevent overwriting of rules set to limit access with php-fpm
My configuration prevents users to browse the file system thanks to limitations set up in php-fpm (How to disable open_basedir and allow_url_fopen in PHP)
I have recently discovered a hacked site with a tool installed to bypass this limitation
The full explanations are on https://balsn.tw/ctf_writeup/20190323-0ctf_tctf2019quals/#wallbreaker-easy
It's basically a client/server FastCGI application allowing to by pass such restrictions. Thanks to this, the hacker was able to read some configuration files he wasn't allow to see.
Is there a way to avoid this (except of course making a jail for php-fpm) ?
Upvotes: -1
Views: 80
Answers (1)
Reputation: 382
It seems the most elegant solution on Ubuntu is the use of AppArmor (and I guess SELinux on Redhat)
There is even good working configuration described on https://kb.linuxlove.xyz/fpm-apparmor.html
Upvotes: 0