On 07.10.2020 12:39, Georgi Guninski wrote:
/home/loser is with permissions 755, default umask 0022
on multiuser machines this sucks much.
on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.
Welcome to user webpage nightmare.
How would you solve it?
Webserver requires to have access to Wordpress admin password, so either
such file is readable by external users (group doesn't work, because all
users are in the same groups), or you give all your users a permission
to set the webfiles as server group (but because all users have this, it
may be easy to break the walls).
You may be smarter with group and permissions, but it is very tricky. Or
a random generated URL, e.g. (www-xbjX72naFl832bYz332 [this is not
random, just an idea])
So there is not easy way. There is/was suphp, which execute the PHP code
as the user, so you can remove the "Other can read" permission, or just
as common for other languages: setup a proxy, so your code is executed
only by you, and you send the result to webserver (but this is also
tricky, if you have non-trusted users: one may crash your server, or
just wait the restart, and take over the port. [Note: you can filter
owner with firewall]).
So as you see, this is tricky and error prone. Now it is better to use
virtual machines. But i can confirm that many sites are handled wrongly
("it is just for few personal webpages", then they added shop, company
sites, etc.).
So you found an error on a machine: tell the administrator to solve it.
But you listed an other problem: a debian mirror with a lot of user
data, and wordpress.
If it is an official Debian mirror, you may need to contact our DSA, so
that they will contact mirror administrator and help to configure the
mirror properly. We do not run PHP or any other language, on our
mirrors, so our mirror files should be fine, but an insecure official
server is still a problem.
ciao
cate
