[Sussex] LAMP Security (Fairly long post...)

Nico Kadel-Garcia nkadel at gmail.com
Sat Jan 6 12:38:08 UTC 2007 

Matthew Macdonald-Wallace wrote:
> Morning all,
>
> I'm reading a series of articles on Security Focus by Artur Maj on how
> to secure Apache, MySQL and PHP whilst keeping them all together.  I'm
> setting up a secure LAMP box from scratch on my laptop and as usual with
> these kind of things, I've come away asking more questions that I
> started with, so I'm hoping that someone will be able to answer them for
> me:
>
> 1) Which version of Apache do people prefer for business critical
> systems?  In the article on setting up Apache
> ( http://www.securityfocus.com/infocus/1694 ), Maj appears to be using
> Apache 1.3.7, however on the apache website there are versions for
> 1.x.x, 2.0.x and 2.2.x.  Is there an "industry standard" at the moment,
> or is it just a case of what you're comfortable with/stick with what you
> know?
>   
Current OS releases are all Apache 2.2. Trying to maintain plug-ins or 
new tools with 1.3.x is very awkward, especially if you use Perl for 
anything and have to deal with mod_perl. Kerberos and LDAP integration 
have gotten much better in 2.x, so user authentication has gotten easier 
to manage.

Beware the tendency of plug-ins to use unencrypted HTTP for logins by 
default, and of some software to store passwords in clear-text. 
Subversion, for example, stores passwords locally in clear-text in its 
UNIX/Linux clients, which I consider amazingly stupid, and insist on 
usinig SSH+svnserve to avoid this.
> 2) When talking about PHP (http://www.securityfocus.com/infocus/1706),
> Maj recommends compiling PHP as a static module as this is, in his view,
> the best option for both security and performance.  Maj points out that
> this would mean a complete recompile of httpd should you need to upgrade
> - as I understand it, this means that you would need significant
> down-time everytime you upgraded anything.  I have always used PHP as a
> dynamic module, only recompiling the module if there is a "feature" in
> PHP that could lead to vulns/expliots.  Again, what do people suggest?
> Save time on the down-time and compile as a dynamic module, or compile
> as a dynamic module and risk the security issues that appear to come
> from this (according to Maj)?
>   
Fedora Core and RedHat are moving away from static libraries wherever 
possible, for exactly this kind of reason. But doing an HTTPD restart is 
pretty easy: RPM and apt both support easy installations and automatic 
restarts of daemons.

What package management are you using?
> 3) The article on MySQL (http://www.securityfocus.com/infocus/1726)
> talks about using chrootuid to run the server as mysql in a chroot jail,
> however I'm having real issues with this.  I've followed the
> instructions to the letter, creating the dirs and copying the files
> however everytime I try and run the command to launch mysql:
>
>  chrootuid /chroot/mysql \
> mysql /chroot/mysql/usr/local/mysql/libexec/mysqld &
>
> I get the following in /var/log/syslog:
>
> /chroot/mysql/usr/local/mysql/libexec/mysqld: No such file or directory
>   
I haven't sed this stunt, but I'd suggest:

 chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &


You see the difference?
> The file exists, the permissions are as follows:
>
> -rwxr-xr-x 1 root mysql 4989964 2007-01-05 22:42 mysqld
>
> but I can't get it to work.  Can anyone help me with this?
>
>
> My final question is that I've noticed that these articles were written
> in 2003/2004, does anyone know of any other tutorials that I could
> follow in order to learn more about securing LAMP boxes? I'm currently
> running Ubuntu, however I've only just switched from Gentoo and I'm
> perfectly comfortable with the command line and installing stuff from
> tarballs so I'm happy to look at just about anything tutorial wise! :)
>   
The UNIX Security book by Simson Garfinkel is OK for security concepts, 
but awful for actually telling you how to do things and negotiate the 
trade-offs. (I went to school with Simson: we've "discussed" the matter 
previously.)

The Linux Security Cookbook is a godsend for basic security, and I 
recommend it for both good security recipes and for walking you through 
how to do things.

More information about the Sussex mailing list