0

I (will) have a binary executable file. It's only permission is user-execute. It cannot be read by user, group, or world. The owner of the file is the Apache user. I don't want the apache user to be able to read the file, but I do want the apache user (via a PHP script) to be able to execute the file.

The binary executable file contains a password that is used to decrypt an SSH private key file, as I need the public key to hash the request body & compare against a hashed signature my server is receiving. The executable binary file will receive the request body & hashed signature, do its stuff, and simply return "yes" or "no" to indicate if the request is valid.

I know my executable binary file could still be accessed by root or sudo. Preventing that would be interesting, but is beyond the scope of my question.

Would this be an effective way to protect the password (which is in the binary file that can ONLY be executed) against PHP scripts running under the apache user?

Note: I would like to open-source this setup so want it to be useable on a variety of linux servers. I'm personally on a shared-server so can't really configure apache or the system, and that would be my target audience.

Reed
  • 105
  • 4
  • I saw https://security.stackexchange.com/questions/105207/give-only-execute-permissions-to-a-linux-binary-prevent-inspection from 5 years ago, but it's old & I have not idea what `LD_PRELOAD` is. It looks like https://reverseengineering.stackexchange.com/questions/98/how-can-i-analyse-an-executable-with-no-read-permission might be similar, but answers are 7 years old. – Reed Aug 15 '20 at 20:19
  • I just tried this on my Linux machine by setting an executable as **chmod 100 x** . An **ls** shows that it is set as **x** only but attempting to run it as **./x** gives a permission error. – user10216038 Aug 15 '20 at 21:36
  • @user10216038, Yeah, I tried that too! With a bash script... From some searching I did, it sounds like if you can compile something into a binary executable file, then it'll work without the read permission. There was a utility to do that with bash & I think I saw it can be done with C code as well. – Reed Aug 16 '20 at 00:03
  • 1
    A tried with both a script and a binary, I used a copy of 7za binary. Permission error on both. – user10216038 Aug 16 '20 at 02:57
  • Dang, well good to know! – Reed Aug 16 '20 at 22:07

1 Answers1

1

You cannot prevent whoever must execute the binary from reading the binary into memory, since this is a prerequisite of execution.

You can have the binary execute from a different user, and communicate with Apache via sockets. Then Apache would be unable to access the process' memory space.

If I understood the situation, your Apache process will receive a request body plus a signature, and must verify that the body has not been tampered with. And you are doing this in PHP.

If this is so, why can't you use PHP's own OpenSSL functions?

The client will do the equivalent of:

$hash = sha512($body);
$sign = sign_with_private_key($hash);
send($body . $sign);

the server can now do (note that it will do an unnecessary sha1 hashing inside verify):

list($body, $sign) = receive();
$hash = sha512($body);
$okay = openssl_verify ($hash, $sign, $pub_key_id);

On the server, only the public key exists. Whatever access you have on the server will never be able to successfully forge a valid signature for an arbitrary body.

LSerni
  • 22,670
  • 4
  • 51
  • 60
  • 1
    This recreates what github sends me: `'sha1='.hash_hmac('sha1',$requestBody,$publickKey);`, then I use `hash_equals` to compare what I generate to what they sent me. It's very similar to [what they suggest](https://docs.github.com/en/developers/webhooks-and-events/securing-your-webhooks). – Reed Aug 15 '20 at 23:52
  • I kind of like the idea of executing under a different user, but I think that's beyond what's possible given that I'm on shared hosting. My public key is saved in the github webhook, so that would be exposed if somebody cracked my github. The public key is NOT stored on my server, but it can be generated from the private file without a password (via `ssh-keygen -y -f ~/path/to/file`), so the public key might as well just be on my server. – Reed Aug 15 '20 at 23:56
  • 1
    If this is what they suggest, I'd considering go with it. It's always best not to "roll up your own cryptography" ( https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own ) – LSerni Aug 16 '20 at 10:06