Jump to content

General security concerns.


trq

Recommended Posts

Setting up a server, the vhost looks something like (off the top of my head)....

 

<VirtualHost *>
  ServerName live.foo.com
  Alias /storage/content/live /uploads
  ServerRoot /var/www/htdocs/live/www
</VirtualHost>

 

(more to it than that but anyway...)

 

Now, my main issue is with permissions. Within /storage/content/live the are hundreds of directories designed to hold client media files (images and pdf's mostly) the actual contents for each client is within postgres (this is a large cms hosting multiple clients, a few hundred presently).

 

My main issue is the permissions to apply to these directories. Clients need to be able to upload to these directories, so one would assume they need to be writtable by the apache user (apache), however, is this not dangerous? What can I do to avoid it or is this simply the way I need to go?

Link to comment
Share on other sites

My main issue is the permissions to apply to these directories. Clients need to be able to upload to these directories, so one would assume they need to be writtable by the apache user (apache), however, is this not dangerous? What can I do to avoid it or is this simply the way I need to go?

 

Is it a dedicated server? Are there any other users of the same box/server?

If not, then it will be fine to chown -r apache2:apache2 /var/www/htdocs/live (and chmod 600) after that.

 

TBH, chmod 777 and the like only comes into effect if there are multiple users on a server, and or if there are some scripts which are poorly written.

 

</two-cents>

-steve

Link to comment
Share on other sites

Yes its a dedicated box.

 

There are a few users on the system, myself and a few (3) devs. Each has there own account. Each site also has an account and group, eg; live.foo.com = live_foo, stage.foo.com = stage_foo etc etc (Forgot to mention there are live, stage and dev versions of the site in place) and each of us users belong to those groups.

 

Anyway, I think I'll chown -r live_foo:apache /storage/content/live and chmod 660.

 

No client will ever have shell access. Just us four boys.

 

Thanks for the clarification.

Link to comment
Share on other sites

Well if you trust the few users on that system your fine. What they could potentially do is:

 

Create a php/cgi script which will copy all  /var/www/htdocs and allow them to download the source code and see your mysql passwords. As php scripts run by the webuser, i.e. apache, then can access your files.

 

Ideally if you trust/work with the other people, you might not mind too much.

You could also disable php and cgi (and other scripts) by default for all users. So they can only run static html files etc.

 

You could look into suPHP which is on apt also. It allows the webserver to "su" to the owner of the folder with the php file been accessed is in.

 

-steve

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.