wordpress_ynh icon indicating copy to clipboard operation
wordpress_ynh copied to clipboard

Published 20 hours ago verified publisher icon YunoHost-Apps

Jail wordpress with a chroot

Open zamentur opened this issue 8 years ago • 4 comments

As explain here we should improve the security of wordpress_ynh specifically. https://forum.yunohost.org/t/virus-qui-envoie-des-mails-en-masse-spam/3330/5?u=ljf

I suggest to chroot all the environment of wordpress. Like that it will be more difficult to succeed in priviledge escalation

zamentur avatar Aug 14 '17 10:08 zamentur

Php-fpm allow to use a chroot for its processes. By using the chroot option and by setting chdir to / to reflect the new root directory.

But, it seems to have also to change the configuration of SCRIPT_FILENAME in the nginx config file. I tried to change the variable by fastcgi_script_name instead of request_filename. Tried also to prefix the variable by / and the full path. Nothing works, I always the same error "File not found." by curl and "Primary script unknown" in the log file.

I don't know what else I can try...

maniackcrudelis avatar Aug 14 '17 19:08 maniackcrudelis

So, today I made some other tests about chrooting with php-fpm. It almost works, but I think it's really to complicated to be use for our apps.

Let's see what I have find out:

  • You need a sub dir, you have to use /var/www/wordpress/wordpress instead of /var/www/wordpress because the chroot will be set on the parent directory.
  • In the fpm config, just change chroot = /var/www/wordpress and chdir = /
  • And in the nginx config, change fastcgi_param SCRIPT_FILENAME $request_filename; to fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;

For information, you can see the content of a variable by echo "fastcgi_script_name: $fastcgi_script_name";
That's how I've found out we have to use $fastcgi_script_name

With these simple changes, it works. If you use a minimalist php script... Because, it's a real chroot, so there's nothing else than what you put in the directory. No database, no mail, no external programs, nothing... That means, you have to copy all what your app needs in the directory, and modify the way it finds the database (Without using a socket).

So, yes it would be really better for security, but it's almost impossible for most of our packagers. And would be really hard for support.

maniackcrudelis avatar Oct 07 '17 14:10 maniackcrudelis

:up: @maniackcrudelis did you make another test ?

Does someone else think about another (simpler) solution to chroot wordpress install/process ?

lapineige avatar Feb 11 '19 11:02 lapineige

No, never tried it again.

maniackcrudelis avatar Feb 11 '19 11:02 maniackcrudelis