| Posted by MALdito, 12-10-2009, 05:58 PM | | I ve been researching this topic for some time now, and I think I'm more confused now than before. Here is the premise:
A LAMP server running only ONE site. Site uses Joomla with some addons.
The question is, should I run:
a- Everything owned by apache and therefore permissions in dirs and files are not set world writeable.
b- Everything owned by the user and permissions set to world writeable (where needed: cache, images, etc).
I would appreciate any comments on this subject.
|
| Posted by -Edward-, 12-10-2009, 06:41 PM | | I'd recommend you go down the route of files owned by the user, much easier for finding exploits/rogue scripts/etc
|
| Posted by ldougherty, 12-10-2009, 07:25 PM | | Since Joomla is a PHP script this means anything uploaded via Joomla will be written to the server as the user Joomla runs under.
This is why people suggest SuPHP so PHP can run as the user rather than as Apache. Say for example your user:group is bob:bob and the direct is owned as bob:bob then Joomla running PHP as Apache tries to write. It will fail because the directory is owned by bob:bob; not apache. This is why you set PHP to run as bob so it can write to the same directory.
Hope that makes more sense.
|
| Posted by foobic, 12-10-2009, 07:40 PM | | So you've already decided to run PHP as an Apache module, not suexec? With only one user / site that would be my preference because you can restrict access to a smaller set of files. Suexec is no protection when you're the only user - quite the opposite in fact, since it gives attackers access to the entire user account.
Of your choices, b is better because only the essential locations are writable by apache. World-writable isn't really an issue since the "world" is just your one site, but if you're uncomfortable with that then a third option would be to have most of the web files owned by user and just images, cache etc. owned by apache.
Also make sure you disable PHP and CGI execution in those writeable directories - lots of exploits start by uploading scripts, eg. disguised as images.
|
| Posted by MALdito, 12-11-2009, 12:51 AM | | Thanks all, for the replies.
ldougherty: Yes, as foobic said, with just one user, running suphp would be an overkill.
foobic: thanks for the 3rd option, didnt saw it at first. By the way, care to share an example of "disable PHP and CGI execution in those writeable directories" ... chmod? htaccess? php.ini?
|
| Posted by foobic, 12-11-2009, 01:07 AM | | In httpd.conf or one of the included config files. You can be more specific about the directories if you need to:
I don't normally worry about cgi because I only allow it in specified directories anyway but if your system allows it anywhere (cPanel) then adding "Options -ExecCGI" should block it.
|
| Posted by MALdito, 12-11-2009, 12:47 PM | | Perhaps I'm making a newbie mistake, but if you refer to executables other than php (perl I guess), I don't have any of those.
Making explicit which dirs and files should be executeable would be krazy in a joomla site, right?
|
| Posted by RSanders, 12-11-2009, 01:31 PM | | c- Everything owned by the user and permissions in dirs and files are not set world writeable. apache runs as the user.
d- Everything owned by the user and permissions in dirs and files are not set world writeable. umask for the user and apache adjusted to 002 and they are grouped.
Thanks,
Rob
|
| Posted by foobic, 12-11-2009, 08:48 PM | | CGI allows you to run any executable scripts (perl and bash would be most common) through the webserver. If you're not using these just disable cgi altogether so any attacker can't upload and run their own.
Last edited by foobic; 12-11-2009 at 08:51 PM.
Reason: clarity
|
|
 Add to Favourites
 Print this Article
|
