Multi-User Websites and Lack of Security? 27
gh0ul asks: "I've come across a large and seemingly unspoken problem when it comes to webhosting: a multi-user shell service in which any of the hundreds of users can view any file for my website, including my SQL passwords and PHP scripts. I've tried many times talking to the admins but have run out of luck trying to find a way to have my scripts run as they should without anyone being able to just view the source at will or view the passwords for my MySQL databases. Apache runs as nobody, therefore the files have to be readable by nobody, I've heard about wrappers, but the admins refuse to install them.. So how would a normal user go about securing his web files and passwords for this purpose on a heavily populated machine?" When dealing with adminstrators who aren't willing to handle even the basics of web security for their customers, consider moving somewhere else. In the meantime, for Perl users concerned about leaving passwords in scripts, consider using DBIx::Password.
I would be interested in knowing of alternatives for DBIx::Password in other languages, as well. It's a useful idea especially if your scripts find themselves in hostile environments.
Re:tried Zend? (Score:1)
Re:Annoys me (Score:1)
Wrappers (Score:1)
owned by you. Then make all your php files mode 500 and owned by you.
Re:FP, not what you think. (Score:1)
Re:chmod (Score:1)
We use the opposite, 1 group for all of our users since we know that each user is "trusted" on the box.
Should apache or any web server software be run as nobody??
If they can read your files... (Score:2)
It isn't funny when you have to explain it, but .. (Score:2)
I'm guessing that you haven't had your morning cup of coffee yet .... :-)
Re:setgid - Wrong (Score:2)
setgid (Score:3)
chmod (Score:1)
find $HOME -type d -exec chmod o-r {} \;
While your files will still be readable, the directories that contain them will not be. People can't use "ls" to list your directories this way.
Doesn't work on on Unix Systems (Score:1)
This method doesn't work on all Unix systems. as the setgid bit on directories is interpreted differently. However it will work on MOST Unix systems, Linux and Solaris included
I think its a BSD-ism but can't recall for sure.
Re:If they can read your files... (Score:1)
--
A link (Score:1)
Basically, there are no good and easy solutions, but the article does give a few ways to go.
Re:chmod (Score:2)
I wouldn't think so. I run it as http or httpd. Many articles recommend running services as 'nobody'. I can't think of a good reason not to have a specific user account/group for each service.
use include() (Score:1)
include('incs/setup.inc');
Also htaccess the incs dir so that it isn't readable by apache.
If the hosting company didn't know that leave now!
I've used PHP Safemode (Score:1)
In order to avoid the problem that everyone can read everyone else's scripts PHP runs in Safe mode, which confines a script to the dir it's in and the subdirs.
This seems to be working very well.
Regards,
Xenna
Re:Run as user? (Score:2)
For the CGI problem, there's suexec or cgiwrap. [The security reports on cgiwrap are due to the hack job on the Cobolt RAQs. A default install is safe]
Now, for the group thing, you're almost on the right track -- what you can do is to give each user their own group, and put the web server into that group. [You'll need to restart the web server after adding each user if you're using Netscape/iPlanet...I don't know if it's a problem with apache]. You then want to set the permissions such that the group has read access to the files, but that they're not world readable.
[0640 for those of you who like bitmasks] For the CGIs, as they're wrapped, only need to be run as yourself [0700].
I've done both of these before, and I can tell you that they work just fine, however, you have to be careful then about anything that is running as the same user as the webserver. [typically, textpreprocessors, such as PHP or ColdFusion, or any CGIs that are running unwrapped]. ColdFusion is a security nightmare on a multi-user system, as it becomes quickly realized that it was never intended for that sort of use. [Hell, all I need to know is someone's datasource name, and I can do anything to their database that they can...and I can get their datasource name by reading their files...which of course, ColdFusion can do, as it runs as the webserver.]
As for PHP, I have no experience with it, but I'm guessing there's a good chance that it has the same issues as ColdFusion.
Not enough (Score:1)
Re:setgid - Wrong (Score:1)
Under such a setup, if user A wants to read user B's files, user A just has to write a CGI program to read (or copy) user B's files for him. When user A runs the CGI by accessing with HTTP, it will have the permissions it needs to grab user B's files.
-Loopy
here's how (Score:2)
Why not try setting up your own machines to run your site. It's not that hard, and I know sites which run off of DSL @ home. One thing many providers seem to lack about 85% of the time is good administration, and when it comes to security your looking at about 95% of insecure companies with all sorts of holes.
Warn the company, that you'll take your business elsewhere should they not comply with your request, then if they don't listen email everyone they host and make them aware of the problem to, and see how fast they'll fix the shit. Sure it may sound fscked up to do something like that, but if it were your company, and someone else knew of major holes wouldn't you be glad someone opened their mouths?
Python (Score:1)
Run as user? (Score:2)
public_html is owned by bob and the group is webbob permissions are rwxr-x---. When a request is made for
I would imagine that the su would have high overhead for those that simply don't need that kind of features, but if it could be implemented as a module then servers such as this could add the feature as needed.
safe mode: what you are looking for (Score:1)
What you need to do is to turn PHP Safe Mode on (in the PHP configuration file). Maybe you didn't find this because documentation isn't very clear on the topic. Look for safe mode in php.net, maybe this link is also useful:3 2002.htm [wrox.com]
http://www.wrox.com/Consumer/Store/Books/2963/296
Using Safe Mode
Running PHP in safe mode is a great way of making the use of PHP scripts safer, especially if you allow users to develop and run their own PHP scripts. Turning on safe mode will cause PHP to check a number of this before executing functions that could possibly be a security risk.
Include, ReadFile, Fopen, File, Unlink, RmDir, etc.The owner of file to be included must either be the same as the owner of the script running or the directory in which the file resides must be owned by this user. Exec, System, PassThru, etc. Programs to be executed must reside in a special directory (the default is
Re:chmod (Score:3)
It's trivial to know what the directory name his web files are in, and since it only takes a visit to his webpage to find out the filenames for his PHP sourcefiles. A simple 'cat' and you've got the database passwords.
Honestly, I'm not sure what you can do on a true multiuser system, especially with PHP. You could certainly try and obscure things through some evil hacks and kludges but you can always work around it.
The submitter said it himself: since apache runs as nobody, any files it accesses need to be readable by nobody. I've never found anything that can get around that fact...
My solution? Don't run any of my websites on machines that have users I don't trust.
Bad idea (Score:1)
tried Zend? (Score:2)
chmod 711 (Score:1)
Enjoy, The CatPieMan