[Lincs] lug.org.uk has been compromised! (Programing exploitsinto your own systems for Dummies part #207)

[James Taylor]

saman at meninpc.co.uk wrote:

>One solution to such problems are running PHP scripts as the owner of the
>file (which obviously wan't done on lug.org.uk). It is common practice to
>use "suPHP" or "suEXEC" on production servers to do this, which also hase
>more benefits that the security one.
>  
>
In the case specified in my email, that dosnt help - you are executing 
arbituary commands as the user of a user who can read your files - it is 
bad programming that no matter how secure you can get it, if at some 
point the web server can view and display that file, then that script 
would allow it.

The secondary problem is the number of users who upload files with 
permissions of "777" - you really wouldnt believe the kind of files I 
can find on public systems with those permissions.

suExec / suPHP would be better still if you then went away and actually 
used something like apache2 per child, which whilst insane on resources 
(hah like you need them) is the most secure. This, instead of just 
running php / other script actually runs a copy of the server per user, 
so not only is the script, but the entire referee process is run as that 
user. Even if we go to the next level and assign each user two user id's 
- one for the apache, one for the uploading/shell, this makes an awesome 
combination, and it is to this system we (as a providor) hope to be 
moving to by the summer of next year.

With our own situation, we run several copies of apache, each user gets 
placed into a risk group - risk being one of two types, either you are a 
"risk" in yourself, or you are the target. Each risk group shares an 
apache group, :. minimising overall risk. Its just statisitics and 
probability at the end of the day. 90% of my users are sane &| ask the 
sysadmins advice before installing/writing scripts. 10% arnt/dont...