Menu
▾
▴
nms-cgi-devel
|
From: Olivier D. <dr...@sh...> - 2002-02-14 13:15:19
|
I'm no security expert, and I'd like to ask everyone here their opinion on a certain security issue: World r/w directories and files. Is this an issue when it comes to www and httpd security? For example, the wwwboard has a directory (messages/) that is world r/w, as well as several files like data.txt, password.txt and wwwboard.html and I feel concerned about having those files accessible by web browsers and other programs through my httpd. While it is impossible to remedy such permissions on these files and directories, unless using a database such as mysql or postgres (which isn't an option for this project to keep compatibility with MWS) would such measure as: - disabling r/w access to others but making sure the files are r/w to group and set the group to www-data (or whatever the httpd is running as) - putting all possible world r/w files below the document root (or above, depending how you see this) My idea is *not* to make this the standard, but maybe include an optional security section in the README that deals with this, if of course this is a security issue. Ideas? Suggestions? -Olivier -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Wizard <wi...@ne...> - 2002-02-14 14:04:13
|
> - disabling r/w access to others but making sure the files are r/w to > group and set the group to www-data (or whatever the httpd is running > as) Remember that the webserver is the ONLY user accessing these files (regardless of whether it's through someone's browser or not). So changing the group permissions doesn't do anything unless someone is logged-in locally. > - putting all possible world r/w files below the document root (or > above, depending how you see this) This would only work for the .txt files. The HTML must be under the docroot. There really is no totally secure way of securing r/w files on a webserver, as the webserver UID is the one that needs to write to them, and this is the most likely UID target for exploits (but it has become more rare). The one way that I have seen it done (and I don't recommend it for writeable files), have the first few lines of the file like so: #!/usr/bin/perl exit; # text data below And then name the file (something).pl and make it r/x. The script now ignores these lines when reading the file, and just reads the data below. The result is that when someone is trying to read the file in a browser, the script is executed rather than displayed. The problems are that the file needs to be in an ExecCGI directory, and it can't be writable, as that could open the door to malicious code being inserted. I think that the existing system of file storage should be fine. You could suggest that the password file be moved somewhere more secure, but I think even that might be overkill. As long as the server is secure, and the user uses decent passwords (no dictionary words, at least 7 chars, and mixed case), it should be fine. Grant M. |
|
From: Olivier D. <dr...@sh...> - 2002-02-14 15:07:19
|
On Thu, Feb 14, 2002 at 09:02:04AM -0800, Wizard wrote: > > - putting all possible world r/w files below the document root (or > > above, depending how you see this) > This would only work for the .txt files. The HTML must be under the docroot. Yes I know. But the less r/w files exposed, the better, no? Or is this a false sense of pseudo security? And what about the directories? I've heard of an exploit using something like ../../../../../../../../../../../tmp as cgi-input to gain write access to a machine. Again, I'm not a security expert and I don't know any methods of gaining access to a machine, but it seems to me that the more holes plugged, the better. Thanks for the opinion. I'm trying to get a better feel for security and this is helping me a lot. And who knows, might help the project too :o) -Olivier -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Jonathan S. <gel...@ge...> - 2002-02-14 21:01:12
|
On Thu, 14 Feb 2002, Olivier Dragon wrote: > On Thu, Feb 14, 2002 at 09:02:04AM -0800, Wizard wrote: > > > - putting all possible world r/w files below the document root (or > > > above, depending how you see this) > > This would only work for the .txt files. The HTML must be under the docroot. > > Yes I know. But the less r/w files exposed, the better, no? Or is this a > false sense of pseudo security? > > And what about the directories? I've heard of an exploit using something > like ../../../../../../../../../../../tmp as cgi-input to gain write > access to a machine. Again, I'm not a security expert and I don't know > any methods of gaining access to a machine, but it seems to me that the > more holes plugged, the better. > The NMS programs aren't vulnerable to exploits of that sort themselves, but of course the files are vulnerable to those sort of holes in other peoples programs running on the same server. Of course we have no way of knowing about the configuration of any given webserver - however we probably could have the program files attempt to chmod themselves 0550 and their data directories 0750 and set a conservative umask of 0077 for the creation of new files. This won't save us on a shared web server where all of the programs for all of the users run with the same uid but it will buy us some security on dedicated machines or shared servers where each user has their CGI programs run SuExec to their own uid. In the end of the day the programs are only ever going to be as secure as the servers that they are running on and we can certainly expect that there are places where they are going to have to be chmod 555 because of the configuration of the server - we could put an iterative description of 'try 0500, then 0550, then 0555 ...' in the README but I think people are going to get bored with that very quickly ;-} /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Jonathan S. <gel...@ge...> - 2002-02-14 21:01:05
|
On Thu, 14 Feb 2002, Wizard wrote: > > There really is no totally secure way of securing r/w files on a webserver, > as the webserver UID is the one that needs to write to them, and this is the > most likely UID target for exploits (but it has become more rare). Ideally a shared webserver would have some kind of mechanism such as Apache's SuExec whereby each user's CGI programs get run under a separate UID in a relatively secure fashion. Unfortunately we cannot expect that of our constituency :( Whilst a lot of the files do need to be readable *and* writeable (Guestbook, FFA) - for a certain number of them I think that we could sysopen them for writing but with a mode of 0400 /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
Thanks for helping keep SourceForge clean.
X