Professional Web Applications Themes

User directory security - Linux / Unix Administration

There is a security issue between Unix system and Apache web server. We have many users in our Unix system, i.e. user1, user2 with home directory /home/user1, /home/user2. An apache server (running as 'nobody') provides user directories, i.e. [url]http://mydomain.com/~user1[/url] and [url]http://mydomain.com/~user2[/url] user1 has a php file under /home/user1/public_html/secret.php with permission (+acl), i.e. [url]http://mydomain.com/~user1/secret.php[/url] # file: secret.php # owner: cstest # group: misc user::rwx user:nobody:r-x #effective:r-- group::--- #effective:--- mask:r-- other:--- With the acl control, only 'nobody' (i.e. the web server ) have permission to read this file. NO other users can logon the workstation, 'cd' to the directory and see the ...

  1. #1

    Default User directory security

    There is a security issue between Unix system and Apache web server.

    We have many users in our Unix system, i.e. user1, user2 with home directory
    /home/user1, /home/user2.
    An apache server (running as 'nobody') provides user directories, i.e.
    [url]http://mydomain.com/~user1[/url] and [url]http://mydomain.com/~user2[/url]

    user1 has a php file under /home/user1/public_html/secret.php with
    permission (+acl), i.e. [url]http://mydomain.com/~user1/secret.php[/url]

    # file: secret.php
    # owner: cstest
    # group: misc
    user::rwx
    user:nobody:r-x #effective:r--
    group::--- #effective:---
    mask:r--
    other:---

    With the acl control, only 'nobody' (i.e. the web server ) have permission
    to read this file.
    NO other users can logon the workstation, 'cd' to the directory and see the
    source of this file.

    However, user2 can easily get the source code (secret.php from user1) with
    the following code,
    not just the web/php output

    <?php
    readfile("../../user1/public_html/secret.php");
    ?>

    This is because the web server also run this code in 'nobody'. 'nobody' can
    steal the source code !

    Is there any solution to protect this issue ?
    any comment ? Thanks.


    JK Guest

  2. #2

    Default Re: User directory security

    >>>>> "JK" == JK <jk6ft2-forum> writes:

    JK> Is there any solution to protect this issue ? any comment ? Thanks.

    It is completely wrong to grant permission because a certain creditial is
    *lacking*. The whole Unix security scheme does not work that way, and there
    will be a never ending stream of holes that allow users to hide their
    creditial and "steal" the file. Permissions must be granted because the
    accessor *has*, rather than *does not have*, some creditial. You might want
    to allocate a group for the web server and create a script owned by the web
    server that allow users to change their files to this group (without
    allowing other users to view them at the same time). This way you can
    easily prove to yourselves that the scheme would actually work independent
    of what is happening in the other end of the world.

    Regards,
    Isaac.
    Isaac To Guest

  3. #3

    Default Re: User directory security

    >>>>> "Isaac" == Isaac To <kktocsis.hku.hk> writes:
    >>>>> "JK" == JK <jk6ft2-forum> writes:
    JK> Is there any solution to protect this issue ? any comment ? Thanks.

    Isaac> It is completely wrong to grant permission because a certain
    Isaac> creditial is *lacking*.

    I must be having trouble with my sleep pattern... the OP actually have a
    scheme that grant permission because a creditial is there. Please ignore my
    post.

    Regards,
    Isaac.
    Isaac To Guest

  4. #4

    Default Re: User directory security

    in comp.unix.admin i read:
    >There is a security issue between Unix system and Apache web server.
    the security issue is more about your use of a particular add-in module.

    [any user can obtain another's ...]
    >source code (secret.php from user1) with
    >the following code, not just the web/php output
    >
    ><?php
    >readfile("../../user1/public_html/secret.php");
    >?>
    >
    >This is because the web server also run this code in 'nobody'.
    >Is there any solution to protect this issue ?
    don't use mod_php, use the cgi sapi and suexec instead. or try one of the
    many attempts to cope, e.g., mod_suphp. or make an open_basedir setting
    for every user.

    --
    a signature
    those who know me have no need of my name Guest

  5. #5

    Default Re: User directory security

    *** JK wrote/escribió (Fri, 11 Jun 2004 15:29:15 +0800):
    > Is there any solution to protect this issue ?
    > any comment ? Thanks.
    Add this to your Apache virtual host:

    php_admin_value open_basedir /home/username/:/var/common/inc/:/tmp/

    Add a colon-separated list of allowed dirs for each one.

    --
    --
    -- Álvaro G. Vicario - Burgos, Spain
    --
    Alvaro G Vicario Guest

  6. #6

    Default Re: User directory security

    In article <1086938885.743723bernard> "JK" <jk6ft2-forum> writes:
    > There is a security issue between Unix system and Apache web server.
    Not inherently, only in the way you set it up.
    > We have many users in our Unix system, i.e. user1, user2 with home directory
    > /home/user1, /home/user2.
    > An apache server (running as 'nobody') provides user directories, i.e.
    > [url]http://mydomain.com/~user1[/url] and [url]http://mydomain.com/~user2[/url]
    This is asking for problems, as you note. Apparently 'nobody' has
    permissions 'user2' does not have. In that case it is a bad idea
    to let 'nobody' execute scripts and/or programs owned (and written)
    by 'user2', because that way 'user2' can get the same permissions
    as 'nobody' has (provided he can force 'nobody' to execute the
    script/program).

    Scripts and programs owned by 'user2' should be executed under the
    user-id 'user2', not something else, in that case.
    --
    dik t. winter, cwi, kruislaan 413, 1098 sj amsterdam, nederland, +31205924131
    home: bovenover 215, 1025 jn amsterdam, nederland; [url]http://www.cwi.nl/~dik/[/url]
    Dik T. Winter Guest

  7. #7

    Default Re: User directory security

    in comp.unix.admin i read:
    >When I need to only allow my account to have access to a file, I set the
    >permissions accordingly (no ACL's on our system) and have the web server
    >access it using a CGI script called through CGIwrap:
    >
    >[url]http://cgiwrap.sourceforge.net/[/url]
    >
    >This allows the web server to run my UID rather than nobody.
    cgiwrap is an excellent alternative to suexec. it can even run php scripts
    without them being `normally executable' (with a shebang line and with
    execute permission), i.e., it can remain the same sort of php file that
    `everyone' expects (starts with <? and is mode 644 or so).

    --
    a signature
    those who know me have no need of my name Guest

  8. #8

    Default Re: User directory security

    those who know me have no need of my name <not-a-real-addressusa.net>
    wrote in news:m13c516aas.gnususa.net:
    > in comp.unix.admin i read:
    >
    >>When I need to only allow my account to have access to a file, I set
    >>the permissions accordingly (no ACL's on our system) and have the web
    >>server access it using a CGI script called through CGIwrap:
    >>
    >>[url]http://cgiwrap.sourceforge.net/[/url]
    >>
    >>This allows the web server to run my UID rather than nobody.
    >
    > cgiwrap is an excellent alternative to suexec. it can even run php
    > scripts without them being `normally executable' (with a shebang line
    > and with execute permission), i.e., it can remain the same sort of php
    > file that `everyone' expects (starts with <? and is mode 644 or so).
    >
    I tend to think as a sysadmin upward rather than web or program downward
    to the system. I find that I have more control and security if I have a
    program or cgi or web-page create a file with the information in it. Then
    have a CRON job look for the file in order to process it. Alot of the
    more confusing security checks are not needed with that method.

    Gandalf Parker
    -- Have you ever noticed that the Klingons are all speaking unix?
    "Grep ls awk chmod." "Mknod ksh tar imap."
    "Wall fsck yacc!" (that last is obviously a curse of some sort)
    Gandalf Parker Guest

  9. #9

    Default Re: User directory security

    those who know me have no need of my name wrote:
    > don't use mod_php, use the cgi sapi and suexec instead. or try one of the
    > many attempts to cope, e.g., mod_suphp. or make an open_basedir setting
    > for every user.
    Or use mod_suid, or Apache 2.


    Igmar
    Igmar Palsenberg Guest

  10. #10

    Default Re: User directory security

    On 2004-06-11, JK wrote:
    > There is a security issue between Unix system and Apache web server.
    >
    > We have many users in our Unix system, i.e. user1, user2 with home directory
    > /home/user1, /home/user2.
    > An apache server (running as 'nobody') provides user directories, i.e.
    > [url]http://mydomain.com/~user1[/url] and [url]http://mydomain.com/~user2[/url]
    >
    > user1 has a php file under /home/user1/public_html/secret.php with
    > permission (+acl), i.e. [url]http://mydomain.com/~user1/secret.php[/url]
    >
    > # file: secret.php
    > # owner: cstest
    > # group: misc
    > user::rwx
    > user:nobody:r-x #effective:r--
    > group::--- #effective:---
    > mask:r--
    > other:---
    >
    > With the acl control, only 'nobody' (i.e. the web server ) have permission
    > to read this file.
    > NO other users can logon the workstation, 'cd' to the directory and see the
    > source of this file.
    >
    > However, user2 can easily get the source code (secret.php from user1) with
    > the following code,
    > not just the web/php output
    >
    ><?php
    > readfile("../../user1/public_html/secret.php");
    > ?>
    >
    > This is because the web server also run this code in 'nobody'. 'nobody' can
    > steal the source code !
    >
    > Is there any solution to protect this issue ?
    > any comment ? Thanks.
    I've just read answers you've got and nobody tells you solution for
    mod_php. You have to enable safe_mode in php.ini. This doesn't allow
    reading files which belong to one user by scripts which belong to
    another user. Quite useful thing :)

    --
    Stanislaw Klekot
    Stachu 'Dozzie' K. Guest

Similar Threads

  1. Windows User Directory Security bypassed?
    By rrzzy in forum Coldfusion Security
    Replies: 3
    Last Post: May 29th, 02:16 AM
  2. Replies: 1
    Last Post: July 4th, 12:23 AM
  3. Replies: 1
    Last Post: May 21st, 03:47 PM
  4. Directory Security via ASP / Or Adding user to Win2000 users
    By Richard Morey in forum ASP Database
    Replies: 9
    Last Post: August 22nd, 08:35 PM
  5. user security policy active directory
    By pipe in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 15th, 03:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139