Re: Keeping the webserver safe
On Sunday 05 October 2008 05:37:17 pm Dusty Wilson wrote:
> >From what I understand, /etc/passwd has to be world readable. If I'm
> wrong, correct me please. If it's world readable, anyone can read it
> unless you use a chroot or use OS containers like OpenVZ (they'd still
> see the file, but it just wouldn't be the whole server's file).
> On Sun, Oct 5, 2008 at 1:27 PM, Rico Secada <email@example.com> wrote:
> > Hi.
> > I have a webserver running with a couple of users as virtual hosts in
> > Apache.
> > I read this article from IBM
> > http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/i
> >ndex.html (look for "Guard your filesystem") and testet the PHP script on
> > an Etch installation, and the script serves files such as /etc/passwd and
> > others.
> > What is the best and correct way to protect the server from users who
> > might upload such a script on their web directory?
> > I don't want to run Apache in a chroot.
> > Best regards.
> > Rico
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > firstname.lastname@example.org
Correct me if I've missed something, but isn't the /etc/passwd *supposed* to
be world-readable, for example to translate UIDs to user names using the ls
command? The /etc/shadow file should *not* be world-readable, but when you
use the shadow file, you don't have passwords in /etc/passwd, so it's being
world-readable doesn't affect security, unless by some weird mechanism
usernames are insecure... unless you run PHP as root, you would have to find
a privilege escalation bug in PHP itself to have this particular security
implication. That's not to say there aren't other security implications, or
that PHP doesn't have such a bug. Lacking much experience with PHP, i'm in no
position to say either way on that one.