[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /home/loser is with permissions 755, default umask 0022

On 07.10.2020 12:39, Georgi Guninski wrote:
/home/loser is with permissions 755, default umask 0022

on multiuser machines this sucks much.

on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.

Welcome to user webpage nightmare.

How would you solve it?

Webserver requires to have access to Wordpress admin password, so either such file is readable by external users (group doesn't work, because all users are in the same groups), or you give all your users a permission to set the webfiles as server group (but because all users have this, it may be easy to break the walls).

You may be smarter with group and permissions, but it is very tricky. Or a random generated URL, e.g. (www-xbjX72naFl832bYz332 [this is not random, just an idea])

So there is not easy way. There is/was suphp, which execute the PHP code as the user, so you can remove the "Other can read" permission, or just as common for other languages: setup a proxy, so your code is executed only by you, and you send the result to webserver (but this is also tricky, if you have non-trusted users: one may crash your server, or just wait the restart, and take over the port. [Note: you can filter owner with firewall]).

So as you see, this is tricky and error prone. Now it is better to use virtual machines. But i can confirm that many sites are handled wrongly ("it is just for few personal webpages", then they added shop, company sites, etc.).

So you found an error on a machine: tell the administrator to solve it.

But you listed an other problem: a debian mirror with a lot of user data, and wordpress.

If it is an official Debian mirror, you may need to contact our DSA, so that they will contact mirror administrator and help to configure the mirror properly. We do not run PHP or any other language, on our mirrors, so our mirror files should be fine, but an insecure official server is still a problem.


Reply to: