3

I'm a teaching assistant in software security and running a server that is vulnerable by design.

It's an nginx server, and it has 40 ports open. Each port serves a web application, and all the web applications are very vulnerable to hacking. If one web application is compromised, the attacker will gain the privileges of the www-data user, and the attacker will then be able to compromise the other 39 web applications. Is there any way I can keep this from happening? I don't want the attacker to gain access rights beyond the single hacked web application.

Hardware limitations on the server makes Docker unfeasible, let alone VMs.

Magnus
  • 255
  • 1
  • 2
  • 8
  • 1
    Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – deagh Jan 15 '18 at 08:18
  • My scenario is very different. I edited the question. – Magnus Jan 15 '18 at 08:23
  • 2
    You can fairly easily isolate the applications and application data by having each application run under its own UID and then normal file-system permissions may already be sufficient to prevent one application from modifying the data of the others. – HBruijn Jan 15 '18 at 08:46
  • @HBruijn this is essentially the correct answer. – Simon Greenwood Jan 15 '18 at 09:44
  • @HBruijn How should the questioner do that? Apache offers [suEXEC](http://httpd.apache.org/docs/2.4/suexec.html), but that's only for CGI and SSI programs. – Andrew Schulman Jan 17 '18 at 14:12
  • 1
    For static content there is no issue, in nginx dynamic content such as PHP scripts get handled by php-fpm that allow an admin to start workers with different uid/gid/chroot/environment, listening on different ports and using different php.ini filed @AndrewSchulman – HBruijn Jan 17 '18 at 14:37
  • Anything that will run 40 web applications at the same time will run Docker. – Michael Hampton Jan 20 '18 at 03:07
  • Somewhat concerning this question is not only relevant in education but also to many web hosting companies. – kasperd Jan 21 '18 at 16:43
  • @MichaelHampton The server has other roles besides nginx web hosting. I have a few hundred MBs of RAM to spare. Would that suffice to host 40 docker containers? – Magnus Jan 21 '18 at 18:21

2 Answers2

3

If one web application is compromised, the attacker will gain the privileges of the www-data user, and the attacker will then be able to compromise the other 39 web applications. Is there any way I can keep this from happening?

Yes. Don't do that. There's absolutely no reason to run unrelated applications as a single user. There's over 65,000 available user IDs on a typical Unix-like system, and you should take advantage of them. How to do that is dependent on the specific application and the technologies it uses, which would be best asked in a separate question.

womble
  • 96,255
  • 29
  • 175
  • 230
0

It sounds like a unique situation for apps, but I'd ask this of the developers: if the app is a PHP app, why can't they use $_SERVER['SERVER_PORT'] to get the current port for the current app, and cordon off data accordingly? This can be added as a check at the top of a PHP program, and if something untoward is observed, just exit(); or do something that clearly prohibits the undesirable behaviour. How precisely to do this depends on the application.

Khom Nazid
  • 146
  • 1
  • 9