So the project I'm working on is deathly paranoid about file uploads.
In the scope of this question, I'm not using that term in regards to payloads; I'm talking confidentiality.
Programs can always crash and leave temporary files loafing around in the filesystem. That's normal. The slightly confidentiality-paranoid can write a cronjob that hits the temporary file folder every few minutes and deletes anything older than a few seconds prior to the cronjob call (not everything, simply because otherwise it might catch a file in process of being uploaded).
...unfortunately, we take this paranoid a step further:
Ideally, we'd love to never see temporary files from file uploads anywhere but in process-associated RAM.
Is there a way to teach PHP to look for temporary file as blobs in memory rather than in the filesystem? We use PHP-FPM as a CGI handler and Apache as our webserver, in case that makes it any easier. (Note also: 'Filesystem' is the keyword here, rather than 'disc', since there are of course ways to map the filesystem to RAM, but that doesn't fix the accessibility and automatic post-crash-clean-up issue.)
Alternatively, is there a way these temporary files can be encrypted immediately when they're being written to disc, so that they're never held in the file system without encryption?
I can unfortunately only accept one answer - but to anyone reading this, the entire thread is extremely valuable and contains the collective insights of many people. Depending on what you are hoping to achieve, the accepted answer may not be interesting to you. If you've come here through a search engine, please take a moment to read the whole thread.
Here is a compilation of usecases as I see them for quick reference:
RAM instead of disc (e.g. due to I/O concerns) → RAMdisk/comparable (plasmid87, Joe Hopfgartner)
Immediate (per-filesystem-user) encryption → encFS (ADW) (+ a gotcha as per Sander Marechal)
Secure file permissions → restrictive native Linux permissions (optionally per vhost) (Gilles) or SELinux (see various comments)
Process-attached memory instead of filesystem (so a process crash removes the files) (originally intended by the question)
don't let the file data reach PHP directly → reverse-proxy (Cal)
disable PHP writing to the filesystem → see PHP bug link in this answer (Stephan B) or run PHP in CGI mode (Phil Lello)
write-only files → /dev/null
filesystem (Phil Lello) (this is useful if you have access to the data as a stream additionally but cannot turn off the file-writing functionality that runs in parallel; whether PHP allows this is unclear)
Below are the steps for a complete change from Apache PHP module to PHP-FPM for processing, and optimising Apache to use mpm_events instead of mpm_prefork. First, we need to install PHP-FPM, configure Apache to route .php processing to PHP-FPM, then optimise the number of PHP-FPM threads.
Processing PHP is slow and clunky on Apache Modules, therefore people move to NGINX for higher HTTP response concurrency. Apache has something similar called mpm_events, to use this we need to disable the Apache PHP module.
If you have deployed a LEMP ( Linux, NGINX, MySQL/MariaDB, and PHP) stack, then you are probably using FastCGI proxying within NGINX (as an HTTP server), for PHP processing. PHP-FPM (an acronym of FastCGI Process Manager) is a widely-used and high-performance alternative PHP FastCGI implementation.
Recently, all our PHP websites on one of our LEMP web servers became slow and eventually stopped responding on logging into the server. we discovered that the system was running low on RAM: PHP-FPM had consumed most of the RAM, as indicated in the following screenshot ( glances – system monitoring tool ).
Have you considered putting a layer between the user and the web server? Using something like perlbal with some custom code in front of the web server would allow you to intercept uploaded files before they are written anywhere, encrypt them, write them to a local ramdisk and then proxy the request on the the web server proper (with the filename and decryption key to the files).
If the PHP process crashes, the encrypted file is left around but can't be decrypted. No unencrypted data gets written to (ram)disk.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With