2

I use PHP-FPM in a shared hosting configuration. Each FPM pool runs as a different user. Apache runs as www-data. Apache connects via a socket using mod_proxy_fcgi. I allow users to use .htaccess files.

How do I prevent a user from connecting to the wrong FPM pool?

The vhost looks something like this:

<VirtualHost *:80>
        ServerName foo.com
        DocumentRoot /var/www/sites/foo.com/html
        <FilesMatch "\.php$">
                SetHandler "proxy:unix:/var/run/foo-com-fpm.sock|fcgi://localhost"
        </FilesMatch>
</VirtualHost>

But, the foo-com user can easily override that handler from his .htaccess:

<FilesMatch "\.php$">
        SetHandler "proxy:unix:/var/run/bar-com-fpm.sock|fcgi://localhost"
</FilesMatch>

This would allow him to run PHP scripts as a different user. How can I prevent that, without disallowing FileInfo overrides?

Sander Marechal
  • 289
  • 4
  • 11
  • There is a similar vulnerability with the `[P]` flag of `RewriteRule`, see this question: https://serverfault.com/questions/965288/shared-hosting-apache-rewriterule-p-flag-security-concern – Quinn Comendant May 28 '20 at 22:39

1 Answers1

2

AllowOverrideList allows to further restrict .htaccess directives to the specified list.

Quote from the docs:

When this directive is set to None and AllowOverride is set to None, then .htaccessfiles are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

Example:

AllowOverride None
AllowOverrideList Redirect RedirectMatch

In the example above, only the Redirect and RedirectMatch directives are allowed. All others will cause an internal server error.

Example:

AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName

In the example above, AllowOverride grants permission to the AuthConfig directive grouping and AllowOverrideList grants permission to only two directives from the FileInfo directive grouping. All others will cause an internal server error.

Quinn Comendant
  • 538
  • 2
  • 17
fuero
  • 9,413
  • 1
  • 35
  • 40
  • I encountered a bug in Apache where setting `AllowOverride None` while specifying some directives in `AllowOverrideList …` would result in an internal server error if using any of the general directives that should be enabled if any overrides are specified. More info: https://serverfault.com/a/848981/180356 – Quinn Comendant May 29 '20 at 16:37