[Lincs] lug.org.uk has been compromised! (Programing exploitsinto
your own systems for Dummies part #207)
James Taylor
jt at imen.org.uk
Tue Nov 23 21:04:01 GMT 2004
saman at meninpc.co.uk wrote:
>One solution to such problems are running PHP scripts as the owner of the
>file (which obviously wan't done on lug.org.uk). It is common practice to
>use "suPHP" or "suEXEC" on production servers to do this, which also hase
>more benefits that the security one.
>
>
In the case specified in my email, that dosnt help - you are executing
arbituary commands as the user of a user who can read your files - it is
bad programming that no matter how secure you can get it, if at some
point the web server can view and display that file, then that script
would allow it.
The secondary problem is the number of users who upload files with
permissions of "777" - you really wouldnt believe the kind of files I
can find on public systems with those permissions.
suExec / suPHP would be better still if you then went away and actually
used something like apache2 per child, which whilst insane on resources
(hah like you need them) is the most secure. This, instead of just
running php / other script actually runs a copy of the server per user,
so not only is the script, but the entire referee process is run as that
user. Even if we go to the next level and assign each user two user id's
- one for the apache, one for the uploading/shell, this makes an awesome
combination, and it is to this system we (as a providor) hope to be
moving to by the summer of next year.
With our own situation, we run several copies of apache, each user gets
placed into a risk group - risk being one of two types, either you are a
"risk" in yourself, or you are the target. Each risk group shares an
apache group, :. minimising overall risk. Its just statisitics and
probability at the end of the day. 90% of my users are sane &| ask the
sysadmins advice before installing/writing scripts. 10% arnt/dont...
More information about the Lincs
mailing list