In comp.unix.bsd.openbsd.misc Notgiven wrote:
> I've been a PHP/Database developer for a while and want to build a BSD
> web server with PHP/Apache and MySQL. The problem is I am not a
> BSD/Linux admin.
>
> I have successfully installed OpenBSD and got it serving up apache and
> apache SSL pages on a test box. it was actually quite easy following
> the site's directions.
>
> The problem lies when something happens for which there are no
> instructions - I will be somewhat lost. So I want a reccomendation
> for a BSD flavor with these goals in mind:
> - secure by default or easily secured - will be hosting web
> application with client's data

OpenBSD. Though FreeBSD is not half bad, either.

> - not too hard to set up

FreeBSD might be easier. You've already managed this, though.

The hardest part to get right on OpenBSD is the fact that Apache runs in
a chroot. This is a very sensible design, and adds a lot to security -
but it's not the most common setup.

> - not too hard to update

Recent OpenBSD versions aren't hard at all, if you are willing to accept
that having a compiler on a production box is a sensible thing to do.
(It is, but many Linux admins have other ideas.)

I do not have sufficient experience on FreeBSD to say either way.

> - plenty of documentation

Almost everything in OpenBSD is well-documented. FreeBSD definitely has
more documentation; but I can't speak for the quality.

> - plenty of how-to's

Install Linux. FreeBSD has very few, and OpenBSD next to none - about
the only 'howto'-ish documents I've ever read are the Big Scary Daemons
articles on onlamp.com.

On the upside, the howtos typically apply to any UNIX-ish system; in
this aspect, both OSes are about equally cursed.

> - good support community

OpenBSD's community can be very helpful, but *will* require you to do
your homework. FreeBSD's community is, at least, larger.

I've also heard rumours that FreeBSD's PHP has a memory leak. This might
or might not be a real problem.

(Note: there are more BSD flavours than Open and Free, but since you've
only posted to those groups, I'll stick to those.)

Joachim

wrote in message
news:451d76ea$0$46251$dbd4d001@news.wanadoo.nl...
> In comp.unix.bsd.openbsd.misc Notgiven
> wrote:
>> I've been a PHP/Database developer for a while and want to build a BSD
>> web server with PHP/Apache and MySQL. The problem is I am not a
>> BSD/Linux admin.
>>
>> I have successfully installed OpenBSD and got it serving up apache and
>> apache SSL pages on a test box. it was actually quite easy following
>> the site's directions.
>>
>> The problem lies when something happens for which there are no
>> instructions - I will be somewhat lost. So I want a reccomendation
>> for a BSD flavor with these goals in mind:
>> - secure by default or easily secured - will be hosting web
>> application with client's data
>
> OpenBSD. Though FreeBSD is not half bad, either.
>
>> - not too hard to set up
>
> FreeBSD might be easier. You've already managed this, though.
>
> The hardest part to get right on OpenBSD is the fact that Apache runs in
> a chroot. This is a very sensible design, and adds a lot to security -
> but it's not the most common setup.
>
>> - not too hard to update
>
> Recent OpenBSD versions aren't hard at all, if you are willing to accept
> that having a compiler on a production box is a sensible thing to do.
> (It is, but many Linux admins have other ideas.)
>
> I do not have sufficient experience on FreeBSD to say either way.
>
>> - plenty of documentation
>
> Almost everything in OpenBSD is well-documented. FreeBSD definitely has
> more documentation; but I can't speak for the quality.
>
>> - plenty of how-to's
>
> Install Linux. FreeBSD has very few, and OpenBSD next to none - about
> the only 'howto'-ish documents I've ever read are the Big Scary Daemons
> articles on onlamp.com.
>
> On the upside, the howtos typically apply to any UNIX-ish system; in
> this aspect, both OSes are about equally cursed.
>
>> - good support community
>
> OpenBSD's community can be very helpful, but *will* require you to do
> your homework. FreeBSD's community is, at least, larger.
>
> I've also heard rumours that FreeBSD's PHP has a memory leak. This might
> or might not be a real problem.
>
> (Note: there are more BSD flavours than Open and Free, but since you've
> only posted to those groups, I'll stick to those.)
>
> Joachim

Joachim - many thanks for your remarks and insights. I am leaning toward
OpenBSD simply because security is important to me and it's default install
is made secure so if I do nothing unusal I assume it should remain fairly
secure. As long as I can get everything I nwant running on it, I should be
good to go.

"Notgiven" wrote in message
news:xLdTg.26780$tT6.3288@bignews7.bellsouth.net.. .
> I've been a PHP/Database developer for a while and want to build a BSD web
> server with PHP/Apache and MySQL. The problem is I am not a BSD/Linux
> admin.
>
> I have successfully installed OpenBSD and got it serving up apache and
> apache SSL pages on a test box. it was actually quite easy following the
> site's directions.
>
> The problem lies when something happens for which there are no
> instructions - I will be somewhat lost. So I want a reccomendation for a
> BSD flavor with these goals in mind:
> - secure by default or easily secured - will be hosting web application
> with client's data
> - not too hard to set up
> - not too hard to update
> - plenty of documentation
> - plenty of how-to's
> - good support community

I use OpenBSD with MySQL and PHP with no problems at all. The online shop
system on my site (below) is built on this combination.

The chroot does complicate things somewhat, but you *could* choose to turn
it off (although I'd advise you to do a lot of reading up to do so from an
informed position).

Steve
http://www.fivetrees.com

"Steve at fivetrees" wrote in message
news:JLKdnW4cs_cvpIPYnZ2dnUVZ8tCdnZ2d@pipex.net...
> "Notgiven" wrote in message
> news:xLdTg.26780$tT6.3288@bignews7.bellsouth.net.. .
>> I've been a PHP/Database developer for a while and want to build a BSD
>> web server with PHP/Apache and MySQL. The problem is I am not a
>> BSD/Linux admin.
>>
>> I have successfully installed OpenBSD and got it serving up apache and
>> apache SSL pages on a test box. it was actually quite easy following the
>> site's directions.
>>
>> The problem lies when something happens for which there are no
>> instructions - I will be somewhat lost. So I want a reccomendation for a
>> BSD flavor with these goals in mind:
>> - secure by default or easily secured - will be hosting web application
>> with client's data
>> - not too hard to set up
>> - not too hard to update
>> - plenty of documentation
>> - plenty of how-to's
>> - good support community
>
> I use OpenBSD with MySQL and PHP with no problems at all. The online shop
> system on my site (below) is built on this combination.
>
> The chroot does complicate things somewhat, but you *could* choose to turn
> it off (although I'd advise you to do a lot of reading up to do so from an
> informed position).
>
> Steve
> http://www.fivetrees.com

Steve - do you have any links to how-to's on getting PHP/MySQL and APache
running well on OpenBSD?

How is it more difficult running it in chroot?

"Paul" wrote in message
news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
>
> Steve - do you have any links to how-to's on getting PHP/MySQL and APache
> running well on OpenBSD?

Erm... it's not that hard - runs pretty well out of the box for me. I
installed the following packages:
mysql-client
mysql-server
php4-core
php4-mysql

You'll probably need to get the specific package names from the appropriate
page for your architecture on the OpenBSD site. Pay attention to the
post-install messages re enabling PHP etc. Use PHP5 rather than 4 if you
prefer.

Once you've set a password for MySQL, add the following to rc.local:

# MySQL startup:
if [ -x /usr/local/bin/mysqld_safe ]; then
echo -n ' mysqld_safe';
/usr/local/bin/mysqld_safe --user=_mysql --skip-symlink --local-infile=0 --safe-user-create
--skip-networking &
fi

Which will get the server running at startup.

If your MySQL server is very busy, you may need to increase the maxfiles
setting in the kernel.

> How is it more difficult running it in chroot?

Read the following:
http://www.openbsd.org/faq/faq10.html#httpdchroot

With the chroot, everything (including all CGI etc) must be within the
Apache path. This usually means duplicating all the executables you'll need
within the path (symlinks won't work). I'd suggest you get everything
working without a chroot first, then migrate. Or not.

HTH,

Steve
http://www.fivetrees.com

In article ,
Steve at fivetrees wrote:
>"Notgiven" wrote in message
>news:xLdTg.26780$tT6.3288@bignews7.bellsouth.net.. .
>> I've been a PHP/Database developer for a while and want to build a BSD web
>> server with PHP/Apache and MySQL. The problem is I am not a BSD/Linux
>> admin.
>>
>> I have successfully installed OpenBSD and got it serving up apache and
>> apache SSL pages on a test box. it was actually quite easy following the
>> site's directions.
>>
>> The problem lies when something happens for which there are no
>> instructions - I will be somewhat lost. So I want a reccomendation for a
>> BSD flavor with these goals in mind:
>> - secure by default or easily secured - will be hosting web application
>> with client's data
>> - not too hard to set up
>> - not too hard to update
>> - plenty of documentation
>> - plenty of how-to's
>> - good support community
>
>I use OpenBSD with MySQL and PHP with no problems at all. The online shop
>system on my site (below) is built on this combination.
>
>The chroot does complicate things somewhat, but you *could* choose to turn
>it off (although I'd advise you to do a lot of reading up to do so from an
>informed position).
>
>Steve
>http://www.fivetrees.com
>
>

(L)AMP? Roast that Penguin over BAMP!
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Beware Linux the Microsoft of Unixes

"Steve at fivetrees" wrote in message
news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
> "Paul" wrote in message
> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
>>
>> Steve - do you have any links to how-to's on getting PHP/MySQL and APache
>> running well on OpenBSD?
>
> Erm... it's not that hard - runs pretty well out of the box for me. I
> installed the following packages:
> mysql-client
> mysql-server
> php4-core
> php4-mysql
>
> You'll probably need to get the specific package names from the
> appropriate page for your architecture on the OpenBSD site. Pay attention
> to the post-install messages re enabling PHP etc. Use PHP5 rather than 4
> if you prefer.
>
> Once you've set a password for MySQL, add the following to rc.local:
>
> # MySQL startup:
> if [ -x /usr/local/bin/mysqld_safe ]; then
> echo -n ' mysqld_safe';
> /usr/local/bin/mysqld_safe --user=_mysql --skip-symlink --local-infile=0 --safe-user-create
> --skip-networking &
> fi
>
> Which will get the server running at startup.
>
> If your MySQL server is very busy, you may need to increase the maxfiles
> setting in the kernel.
>
>> How is it more difficult running it in chroot?
>
> Read the following:
> http://www.openbsd.org/faq/faq10.html#httpdchroot
>
> With the chroot, everything (including all CGI etc) must be within the
> Apache path. This usually means duplicating all the executables you'll
> need within the path (symlinks won't work). I'd suggest you get everything
> working without a chroot first, then migrate. Or not.
>
> HTH,
>
> Steve

Does OpenBSD have jails like FreeBSD - would that a better solution to more
freely run Apache/PHP/MySQL while maintaining security?

In comp.unix.bsd.openbsd.misc Paul wrote:
> "Steve at fivetrees" wrote in message
> news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
>> "Paul" wrote in message
>> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
>>> Steve - do you have any links to how-to's on getting PHP/MySQL and APache
>>> running well on OpenBSD?

>> With the chroot, everything (including all CGI etc) must be within the
>> Apache path. This usually means duplicating all the executables you'll
>> need within the path (symlinks won't work). I'd suggest you get everything
>> working without a chroot first, then migrate. Or not.
>
> Does OpenBSD have jails like FreeBSD - would that a better solution to more
> freely run Apache/PHP/MySQL while maintaining security?

OpenBSD does not have jails in the same way that FreeBSD does, but
systrace can be used to get the same effect (any many others). Systrace,
though, does cost in performance and is not trivial to get running
correctly (although good tools are provided, so it's not that hard if
you are comfortable with syscalls).

Joachim

wrote in message
news:451e8957$0$20202$dbd41001@news.wanadoo.nl...
> In comp.unix.bsd.openbsd.misc Paul wrote:
>> "Steve at fivetrees" wrote in message
>> news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
>>> "Paul" wrote in message
>>> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
>>>> Steve - do you have any links to how-to's on getting PHP/MySQL and
>>>> APache
>>>> running well on OpenBSD?
>
>>> With the chroot, everything (including all CGI etc) must be within the
>>> Apache path. This usually means duplicating all the executables you'll
>>> need within the path (symlinks won't work). I'd suggest you get
>>> everything
>>> working without a chroot first, then migrate. Or not.
>>
>> Does OpenBSD have jails like FreeBSD - would that a better solution to
>> more
>> freely run Apache/PHP/MySQL while maintaining security?
>
> OpenBSD does not have jails in the same way that FreeBSD does, but
> systrace can be used to get the same effect (any many others). Systrace,
> though, does cost in performance and is not trivial to get running
> correctly (although good tools are provided, so it's not that hard if
> you are comfortable with syscalls).
>
> Joachim
Thanks. I am not confortable with syscalls since I am a newbie still. I
wonder if FreeBSD with jails would be a better atlernative for me since it
appears to be more secure - a hack would not involved entire system - than
openbsd. Does that make sense to consider?

"Paul" wrote in message
news:SvxTg.10884$zF5.9463@bignews1.bellsouth.net.. .
> Thanks. I am not confortable with syscalls since I am a newbie still. I
> wonder if FreeBSD with jails would be a better atlernative for me since it
> appears to be more secure - a hack would not involved entire system - than
> openbsd. Does that make sense to consider?

As always, it depends. OpenBSD is very secure anyway, with or without the
chroot. The weakest link is likely to be the CGI (PHP in your case).

Steve
http://www.fivetrees.com

According to Steve at fivetrees :
> "Paul" wrote in message
> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .

[ ... ]

> > How is it more difficult running it in chroot?
>
> Read the following:
> http://www.openbsd.org/faq/faq10.html#httpdchroot
>
> With the chroot, everything (including all CGI etc) must be within the
> Apache path. This usually means duplicating all the executables you'll need
> within the path (symlinks won't work). I'd suggest you get everything
> working without a chroot first, then migrate. Or not.

In particular, I suggest compiling as statically-linked any
programs which the server will be running directly (eg CGI programs).
The static linking means that you won't have to put shared libs into the
apache tree, too.

And -- as that URL will tell you -- any paths to files accessed
by the programs will have to be relocated within the Apache tree, and
their paths will have to either be modified in the source to the
programs, or you will have to build trees within the Apache tree to make
the programs appear to be where they are expected to be.

But I consider these pains to be worth it, as it seriously
limits the damage that someone can do by exploiting a newly-discovered
security hole in the Apache program itself -- or in whatever it runs.

Good Luck,
DoN,
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

Just some random comments from recent experience...

Steve at fivetrees wrote:
> Erm... it's not that hard - runs pretty well out of the box for me. I
> installed the following packages:
> mysql-client
> mysql-server
> php4-core
> php4-mysql

Adding an accelerator/cache for PHP is really worth it. I use XCache
1.0.2 ( http://trac.lighttpd.net/xcache/ ) with PHP 5.1.x. For PHP5.0.x,
eaccelerator ( http://sourceforge.net/projects/eaccelerator/ ) was the
better choice (xcache doesn't work correctly with 5.0, eaccelerator
still had problems with 5.1 when I last tried it.)

You'll probably also need to install the php modules for pear (to build
the cache) and mbstring.
>
> Once you've set a password for MySQL, add the following to rc.local:
>
> # MySQL startup:
> if [ -x /usr/local/bin/mysqld_safe ]; then
> echo -n ' mysqld_safe';
> /usr/local/bin/mysqld_safe --user=_mysql --skip-symlink --local-infile=0
> --safe-user-create --skip-networking &
> fi

As I just found out by accident there's a new mysqlmanager since 5.0.3.
You can also use the /usr/local/share/mysql/mysql.server script to start
and stop the server. It's probably a good idea to add something like
this to rc.shutdown:

if [ -x /usr/local/share/mysql/mysql.server ]; then
/usr/local/share/mysql/mysql.server stop 2>&1
fi

> If your MySQL server is very busy, you may need to increase the maxfiles
> setting in the kernel.

I also found an explicit --open-files-limit=2048 paramter to
mysqld_safe helpful. I'm not sure if this is still required in newer
releases.

Marc

On Sat, 30 Sep 2006 18:21:07 +0100
"Steve at fivetrees" wrote:

> "Paul" wrote in message
> news:SvxTg.10884$zF5.9463@bignews1.bellsouth.net.. .
> > Thanks. I am not confortable with syscalls since I am a newbie still.
> > I wonder if FreeBSD with jails would be a better atlernative for me
> > since it appears to be more secure - a hack would not involved entire
> > system - than openbsd. Does that make sense to consider?
>
> As always, it depends. OpenBSD is very secure anyway, with or without the
> chroot. The weakest link is likely to be the CGI (PHP in your case).

Indeed, with PHP and SQL (actually *anything* that takes user input
and makes SQL) it is *very* important to treat all user input as
potentially hostile and screen it very carefully for SQL injection tricks
and (in the case of web front ends) embedded HTML/JavaScript.

Provided you do that, and turn off all unnecessary services, any BSD
or Linux or Solaris or other unix family OS should do fine.

--
C:>WIN | Directable Mirror Arrays
The computer obeys and wins. | A better way to focus the sun
You lose and Bill collects. | licences available see
| http://www.sohara.org/

Marc Wirth wrote:

> Steve at fivetrees wrote:

>> If your MySQL server is very busy, you may need to increase the maxfiles
>> setting in the kernel.
>
> I also found an explicit --open-files-limit=2048 paramter to
> mysqld_safe helpful. I'm not sure if this is still required in newer
> releases.

And, while we're at it, look at /etc/login.conf.

Joachim

In comp.unix.bsd.openbsd.misc DoN. Nichols wrote:
> According to Steve at fivetrees :
>> "Paul" wrote in message
>> news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .

>> > How is it more difficult running it in chroot?
>>
>> Read the following:
>> http://www.openbsd.org/faq/faq10.html#httpdchroot
>>
>> With the chroot, everything (including all CGI etc) must be within the
>> Apache path. This usually means duplicating all the executables you'll need
>> within the path (symlinks won't work). I'd suggest you get everything
>> working without a chroot first, then migrate. Or not.
>
> In particular, I suggest compiling as statically-linked any
> programs which the server will be running directly (eg CGI programs).
> The static linking means that you won't have to put shared libs into the
> apache tree, too.

IME, copying shared libs is easier than remembering when to recompile
PHP because one of the libraries statically linked into it has a
vulnerability.

It's not like you can't automate it, after all.

Joachim

In comp.unix.bsd.openbsd.misc Paul wrote:
> wrote in message
> news:451e8957$0$20202$dbd41001@news.wanadoo.nl...
>> In comp.unix.bsd.openbsd.misc Paul wrote:
>>> Does OpenBSD have jails like FreeBSD - would that a better solution
>>> to more freely run Apache/PHP/MySQL while maintaining security?
>>
>> OpenBSD does not have jails in the same way that FreeBSD does, but
>> systrace can be used to get the same effect (any many others). Systrace,
>> though, does cost in performance and is not trivial to get running
>> correctly (although good tools are provided, so it's not that hard if
>> you are comfortable with syscalls).
>>
> Thanks. I am not confortable with syscalls since I am a newbie still. I
> wonder if FreeBSD with jails would be a better atlernative for me since it
> appears to be more secure - a hack would not involved entire system - than
> openbsd. Does that make sense to consider?

I have no experience with jails, but a few points:
1. systrace really isn't that hard
2. there is a jail-like thingy for OpenBSD, see
http://archives.neohapsis.com/archiv...6-05/1920.html
3. chroot() is usually enough

Regarding the third point, consider what happens when someone gains
complete access to your jail - i.e., compromises the Apache process. A
competent attacker won't be hindered much by the absence of tools in the
jail, but still - there's no way to escalate priviliges unless you've
done something stupid, no way to break chroot, and so on.

A nasty DoS is possible - the default install doesn't like forkbombs,
for instance, and other approaches like exhausting shared memory may
also work - and you have access to both the network and whatever part of
MySQL the web scripts have access to; but provided that some
rate-limiting (especially on port 25 outgoing) is in place, I don't
really see what more mischief one could do. Sure, trashing the web area
is annoying, but it's not like a jail would prevent that.

Joachim

According to :
> In comp.unix.bsd.openbsd.misc DoN. Nichols wrote:

[ ... ]

> > In particular, I suggest compiling as statically-linked any
> > programs which the server will be running directly (eg CGI programs).
> > The static linking means that you won't have to put shared libs into the
> > apache tree, too.
>
> IME, copying shared libs is easier than remembering when to recompile
> PHP because one of the libraries statically linked into it has a
> vulnerability.

But if you have shared libs in the chroot area, they are yet
another thing which you have to worry about someone overwriting with a
version which allows additional functions to piggyback upon a needed
function. And installing a shared lib replacement somewhere else, and
setting LD_LIBRARY_PATH to scan it before the normal library location
could allow escalation of privilege. With staticly linked binaries, all
you have to worry about is whether the binary itself has been
compromised -- and some programs will load from half a dozen to perhaps
a couple of dozen shared libs -- so there is a lot more to watch out
for.

> It's not like you can't automate it, after all.

Or automate the re-compiles with proper dependencies in the
makefile.

Enjoy,
DoN.

--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

Really though.. OpenBSD is not that hard. Read the docs, search the
web, ask questions, you'll sort everything out. You won't find a better
Unix-like OS to work with.


On Sep 30, 10:12 am, "Paul" wrote:
> wrote in messagenews:451e8957$0$20202$dbd41001@news.wanadoo .nl...
>
> > In comp.unix.bsd.openbsd.misc Paul wrote:
> >> "Steve at fivetrees" wrote in message
> >>news:IuSdnSYHJ-hJ34PYRVnyig@pipex.net...
> >>> "Paul" wrote in message
> >>>news:O6rTg.16608$GY5.1162@bignews6.bellsouth.net.. .
> >>>> Steve - do you have any links to how-to's on getting PHP/MySQL and
> >>>> APache
> >>>> running well on OpenBSD?
>
> >>> With the chroot, everything (including all CGI etc) must be within the
> >>> Apache path. This usually means duplicating all the executables you'll
> >>> need within the path (symlinks won't work). I'd suggest you get
> >>> everything
> >>> working without a chroot first, then migrate. Or not.
>
> >> Does OpenBSD have jails like FreeBSD - would that a better solution to
> >> more
> >> freely run Apache/PHP/MySQL while maintaining security?
>
> > OpenBSD does not have jails in the same way that FreeBSD does, but
> > systrace can be used to get the same effect (any many others). Systrace,
> > though, does cost in performance and is not trivial to get running
> > correctly (although good tools are provided, so it's not that hard if
> > you are comfortable with syscalls).
>
> > JoachimThanks. I am not confortable with syscalls since I am a newbie still. I
> wonder if FreeBSD with jails would be a better atlernative for me since it
> appears to be more secure - a hack would not involved entire system - than
> openbsd. Does that make sense to consider?