--On Thursday, February 12, 2009 10:04:59 -0600 Keith Palmer
<ke...@academickeys.com> wrote:
Your other proposed solution results in the same situation, correct? No
matter what, Apache needs read-access to any and all files, so no matter
what PHP will have access to read any user's files. There's no way around
that for a shared hosting situation that I know of...
If you remove the groups write privs, then PHP scripts can't really do any
damage at least.
Your solution doesn't work because the user "keith" could still do a "ls
/home/shannon/public_html/" and get the directory listing (shannon's
public_html directory is 0755, per your suggestion). Unless I'm missing
something...?
If you set the world readable bit, you break the entire schema. To make it
work, world must have no access - not even directory search access. So you set
u=rwx,g=srx,o-rwx (or 2750), for homedirs and u=rw,g=sr,o-rwx (or 2640) for
files. To maintain the schema you would also need to change the users' umask
to 027 or (script a perm change periodically to remove the world bits from new
files.)
If you want to get more granular, you can set the homedirs and all subdirs to
owner:owner and only set the public_html dir and its subdirs to owner:www. The
key is to remove the world access from the homedirs and everything under them,
set the group to www, setgid and change the umask. Once you've done that, it's
pretty much maintenance free. It wouldn't hurt to script something that crawls
the homedirs periodically looking for perm problems, just in case something
crops up.
The webserver only needs read access to files (unless the application you're
running has some special requirements.) You can make a perl script (or php
files, python, tcl, you name it) read only and then configure Apache so it's
executable from within Apache but not directly from the hard drive.
Most application vendors tend to "err" on the side of too-loose perms,
demanding rwx for everything when that's really not needed. You can play
around with the perms and see what breaks, then roll the new set out once
you've figured out what's needed. But, if you do it right, world doesn't need
any access at all, and that's going to be a requirement going forward to keep
others from seeing the files. If world has access, anyone on the server has
access.
The webserver I maintain has no access at all for world. Individual dirs may
have differing access rights depending upon who needs to get into them, but
world is excluded. This means an attacker has to become root or the webserver
user before he can even see the web stuff, and only root would have more than
read access.
If the web server has read only access to the files, then an attacker is
limited to exploiting vulnerabilities in the webserver or the applications
running on it.
I strongly suggest you install and use mod_security (if you're not already) to
protect against that. It's very lightweight and works quite well. There's an
active user community, and you can protect against existing vulnerabilities
with the right filters in place.
--
Paul Schmehl (pa...@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
