--On Thursday, February 12, 2009 10:04:59 -0600 Keith Palmer <ke...@academickeys.com> wrote:

Your other proposed solution results in the same situation, correct? No
matter what, Apache needs read-access to any and all files, so no matter
what PHP will have access to read any user's files. There's no way around
that for a shared hosting situation that I know of...

If you remove the groups write privs, then PHP scripts can't really do any
damage at least.

Your solution doesn't work because the user "keith" could still do a "ls
/home/shannon/public_html/" and get the directory listing (shannon's
public_html directory is 0755, per your suggestion). Unless I'm missing

If you set the world readable bit, you break the entire schema. To make it work, world must have no access - not even directory search access. So you set u=rwx,g=srx,o-rwx (or 2750), for homedirs and u=rw,g=sr,o-rwx (or 2640) for files. To maintain the schema you would also need to change the users' umask to 027 or (script a perm change periodically to remove the world bits from new files.)

If you want to get more granular, you can set the homedirs and all subdirs to owner:owner and only set the public_html dir and its subdirs to owner:www. The key is to remove the world access from the homedirs and everything under them, set the group to www, setgid and change the umask. Once you've done that, it's pretty much maintenance free. It wouldn't hurt to script something that crawls the homedirs periodically looking for perm problems, just in case something crops up.

The webserver only needs read access to files (unless the application you're running has some special requirements.) You can make a perl script (or php files, python, tcl, you name it) read only and then configure Apache so it's executable from within Apache but not directly from the hard drive.

Most application vendors tend to "err" on the side of too-loose perms, demanding rwx for everything when that's really not needed. You can play around with the perms and see what breaks, then roll the new set out once you've figured out what's needed. But, if you do it right, world doesn't need any access at all, and that's going to be a requirement going forward to keep others from seeing the files. If world has access, anyone on the server has access.

The webserver I maintain has no access at all for world. Individual dirs may have differing access rights depending upon who needs to get into them, but world is excluded. This means an attacker has to become root or the webserver user before he can even see the web stuff, and only root would have more than read access.

If the web server has read only access to the files, then an attacker is limited to exploiting vulnerabilities in the webserver or the applications running on it.

I strongly suggest you install and use mod_security (if you're not already) to protect against that. It's very lightweight and works quite well. There's an active user community, and you can protect against existing vulnerabilities with the right filters in place.

Paul Schmehl (pa...@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas

Reply via email to