File permissions with PHP & Apache on a unix system

[whitecow]

What if


User A has a php/mysql script which will include() a db.php containing connection details of the mysql server.

User B is able to browse User A's home directory and public_html, even having access to read db.php and aqquire the logon details.


Since apache ( afaik ) requires public execute permission on ~/ and ~/public_html/ plus public read permission on ALL accessable files how can one stop or limit this kind of abuse, and how do public access and shell providers deal with this problem, perhaps i should just ask them :/

The only thing i can think of is symlinking ~/public_html/ to /usr/local/www/XXXXX but as im not sure how symlink works i'd prefer not to do anything until im at least 40% sure

thanks in advance blah blah balh


isuck moos !

 

[Tempy_Incursion]

When you posted this, were you referring to BW hosting? As directory indexing is disabled by default on the hosting server, unless you know the page name (db.php) (which is unlikely if you're the average visitor) you wouldn't be able to access the information through a browser. As for other Apache servers, I'm not sure as I only use mine for hosting and testing my website stuff.

Maybe Jonty could give a better answer........

 

[whitecow]

barrysworld run unix for the hosting ? yay for them

Nah, its a private system.

Besides, i provide source for all my scripts except for the database vars which are included through php, as you do...

In which case anyone would be able to see that db.php is being included.


speedy response btw

 

[Tempy_Incursion]

Ah well in that case I see you're prob but not quite sure how to solve it. You could perhaps provide the source at a different location with a dummy db.php include which would be used just for the purposes of the source while including a small description of what should be in the real db.php.

 

[whitecow]

the problem isnt displaying the source on a site, its any other users on the box being able to browse the ~/public_html/ and reading it anyway using their shell account.

kinda sucks, i see no obvious way around it yet its such an obvious problem while no one seems to worry about it :/

thanks muchly for your insights !

 

[Tempy_Incursion]

Well I agree it must be a bloody pain but there's no easy workaround. Oh well, suggestions anyone?

One thing, what do you mean by a Shell Account? And which version of Apache is the server running?

 

[Testin da Cable]

as far as I know there is no need for your homedir to be world readable. chmod your dir to octal mode 700 and relax dude

I seem to recall apache accessing public_html [or whatever your admin has chosen to call the users personal webspace] via some tricksy magic stuff.

check it, or I can check it for you and tell you about it. I'll be home in six hours or so heh

 

[Jonty]

Hmm ...

Hi whitecow

The best thing to do is just to ask the people who provide your webspace how to properly secure your files and directories from prying eyes; since on BW, the situation you have described is just not possible unless User B has FTP access to your account and can thus download the source directly.

Naturally, if you have a BW account, you could simply shift your db.php (perhaps rename the file to something a little more discreet?) across and alter your links, thus allowing you to sleep safer at night knowing your data is protected. This way, even if someone does view your source and follow the link back to BW, there is no way they could access the settings contained within.

Just out of interest, is your project hosted on SourceForge by any chance? Only the details you give seem seem to suggest such an operation. If so, you should be assured that the vast majority of people over there have no malicious intent; and I'm sure you know just how many thousands of directories you have to navigate through in your SSH client just to find your site, right? Well, it's pretty unlikely anyone is going to randomly target people, so I don't think you have much to worry about.

Anyway, in conclusion, either contact the people providing your webspace or simply shift your db.php file to BW or an equivilantly secure host.

Kind Regards

 

[Shocko]

Well, with ftp there's no problem... I think the server makes your starting point appear as the root dir, so dirs above it just don't exist as far as it's concerned.

Using http, there would be nothing to gain by looking at other's files. For instance i can access someone else's site using http://hosted.barrysworld.net/b2h/../<their site name>/
However, the result is no differant to if i was accessing it directly. Of course, the issue exists with php... The script i use to list dirs(on my own site), doesn't seem to be able to access anything above my top dir. I can only assume, that apache prevents php from accessing stuff above a certain dir...

 

[whitecow]

Again, the pages are on a local FreeBSD box not Barrysworld. I'm more concerned with local shell users than web browsers.

I think anyone who admins *nix machines would agree that running Apache as root ( or as part of the users group ) tends to be a bad idea.
The only other alternative i've seen is to run it as the 'www' user or 'apache'

Because Apache runs as a seperate user on most unix systems ( 'www' on mine ) it requires a users home dir to be publicly executeable, along with the public_html dir being executeable and readable publicly too...

Like i said, i prefer the source to be mostly viewable, although this makes little difference in security ( only certian files are viewable ) unless of course for any exploits that may come of it.

Besides that, anyone with an account on the same machine as me will be able to read the actuall php source of ANY file in my home dir that apache can read from ( remember, it needs public access ). And from my example, they would be able to view my mysql username & password at ease.

Unless im missing something completely, im very interested to know how companys who provide ssh access with web hosting accounts deal with this problem etc..

I've sent a few emails to such companys, anything of interest will be posted here..

Nice post btw Jonty

 

[Testin da Cable]

a default apache starts out as root mate. it drops privilages to the user you've defined in httpd.conf as soon as the parent server is running. You can get it to run entirely without root but you'll have to have it listen on a port that is higher than 1024 [8080 or so heh]
I'll have a wee look as soon as I get home tonight. I have issues with your statement regarding the world-readability of apache-accessable directories.
I'll let you know...

 

[whitecow]

yes, apache does initially run as root then switches to 'www' as defined in my httpd.conf but it still requires the public privilages i've stated in this thread.

 

[whitecow]

Its easy when you're told how...

Just off IRC after speaking with one of the admins from http://www.speedfusion.net/ about my little apache issue.

He explained to me how he manages the problem by placing all the /home users into a 'users' group.

When a user attempts to access any file, first his user permissions are checked, then the group permissions, then finally public permissions in that order. You'll probably see where im going with this...

While leaving apache in its own group 'www' chmod any web files to 705.

Since the group permissions is checked before public ones, any user in the 'users' group will NOT have ANY access.

However, because apache is still runing in its own group 'www' it will use the public permissions and will be able to read the file.


Having read back on what i just wrote it could be laid out better, but i still hope it is of some use to others.

Switching groups about is a bit of a bitch though
- cheers