MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Development => Topic started by: chrisf on 2014-07-19, 00:42:49
-
Mustafa,
After a security audit of one of our production servers I was informed of the GREAT potential of session hijacking by having all users session dir sent to one dir.
It would be easy with the php-fpm setup to point the session dir to /home/{user}/session and add this directory to the skeleton or add it's creation during new user creation.
I would consider this, it makes php even more secure and seperate from each user.
-
Have you considered this Mustafa?
-
Session inside /home/httpd/<user>. Need update php config for every users in panel.
-
I have latest 6.5.1b and run cleanup. No change for session for php.
-
Go to 'Advanced php configure' in every client and then click 'update'.
-
Every client? What? Why fixphp not do this?
-
Because each client (user in php context) have their php config.
-
Updating in php advanced per client doesn't change anything. There appears to be no change to anything at all
-
Mustafa, this is easiest way to implement this feature.
In php53-fpm-pool.conf.tpl you have 2 of the same lines:
php_admin_value[session.save_path] = <?php echo $session_save_path_flag; ?>
Remove the first one, then change:
php_admin_value[max_input_vars] = <?php echo $max_input_vars_flag; ?>
php_admin_value[session.save_path] = <?php echo $session_save_path_flag;
change to:
php_admin_value[max_input_vars] = <?php echo $max_input_vars_flag;
if (!file_exists("/home/{$user}/php_session")) {
mkdir("/home/{$user}/php_session");
shell_exec("/bin/chown {$user}:{$user} /home/{$user}/php_session");
}
?>
php_admin_value[session.save_path] = /home/<?=$user;?>/php_session
Perfect! Now fixphp creates php_session in /home/{user} directory, changes ownership properly, and sets session.save.path correctly.
HOW EASY IS THAT?
-
What you think?