Using node.js to replace apache/nginx and execute php security

Question

I've got a webserver written in node.js, it pretty much just serves the user with static files. To add PHP support to it I thought i could just download PHP and give PHP.exe the file. That works and will be sufficient if it where to be used by a single user. For an environment where multiple users would host their website on the server it'd however bring along a huge security issue. One could use a PHP script to do whatever he/she would want with any of the other websites or even the entire server.

Oh did i mention it is a windows server?

Anyways, so what i want is to get some permissions working to keep the php script within a specific directory. I'm thinking in the direction of creating a user for each website on which I'll apply the appropriate permissions and than when executing php.exe using something like 'run as' (assuming it is possible). Are there any other ways for me to achieve my goal? And if so would they be better? Why so?

Also if you're interested, my code looks like: http://pastebin.com/gZjN1mnj

Also I'm aware that $_POST, $_SERVER, $_COOKIE, $_SESSION etc. are all missing when using my server, but I've already thought of how to get that fixed and had one succesful test with it.

Now I'm already feeling the responses: why the hell would you do that? OR don't, apache/nginx are better, etc. etc. Consider it a learning process, I was just interested whether i could get it all to actually work ^^

Thank you.

Answer 1

Congratulations on the mixed bag franken platform your developing :)

Switch to Linux use process.setuid

Node.js is a great webserver, so I can see the appeal. You're swimming upstream by running both node and php on windows. If you have control I would switch over to linux.

If you were running in Linux, Node has a built in functions process.setguid and process.setuid You have to be root to run these but a node.js program could run as root spawn a node process for each user, then jail itself and route all traffic to the child node processes that are jailed to specific users.

Have a specific php.ini for each user

You can use php safe mode, base_dir and other ini commands to try and jail php to a specific directory tree. This is flaky and incomplete and many of these features have been deprecated or removed in the latest releases because of bugs and ways around these. But its trivial to pass in an ini file with your php command line call.

Use Third-pary RUNAS utility

To really have user security in windows you'll have to run something like autoIT RunAs http://www.autoitscript.com/autoit3/docs/functions/RunAs.htm

As opposed to the normal runas command this one lets you specify a password so it could be run from your node process.