[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping the webserver safe

On Sunday 05 October 2008 05:37:17 pm Dusty Wilson wrote:
> >From what I understand, /etc/passwd has to be world readable.  If I'm
> wrong, correct me please.  If it's world readable, anyone can read it
> unless you use a chroot or use OS containers like OpenVZ (they'd still
> see the file, but it just wouldn't be the whole server's file).
> Dusty
> On Sun, Oct 5, 2008 at 1:27 PM, Rico Secada <coolzone@it.dk> wrote:
> > Hi.
> >
> > I have a webserver running with a couple of users as virtual hosts in
> > Apache.
> >
> > I read this article from IBM
> > http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/i
> >ndex.html (look for "Guard your filesystem") and testet the PHP script on
> > an Etch installation, and the script serves files such as /etc/passwd and
> > others.
> >
> > What is the best and correct way to protect the server from users who
> > might upload such a script on their web directory?
> >
> > I don't want to run Apache in a chroot.
> >
> > Best regards.
> >
> > Rico
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org

Correct me if I've missed something, but isn't the /etc/passwd *supposed* to 
be world-readable, for example to translate UIDs to user names using the ls 
command? The /etc/shadow file should *not* be world-readable, but when you 
use the shadow file, you don't have passwords in /etc/passwd, so it's being 
world-readable doesn't affect security, unless by some weird mechanism 
usernames are insecure... unless you run PHP as root, you would have to find 
a privilege escalation bug in PHP itself to have this particular security 
implication. That's not to say there aren't other security implications, or 
that PHP doesn't have such a bug. Lacking much experience with PHP, i'm in no 
position to say either way on that one.

Jack Mudge

Reply to: