Re: installiing joomla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 14.09.2013 21:42, schrieb Matthew J. Roth:
> Reindl Harald wrote:
>>
>> it's not a matter of the distribution set permissions wise and only
>> allow the apache user write access where it is really needed
>>
>> teh document root is *not* such a place
>> temp/cache folders of a web-application are
> 
> For clarification, can the temp/cache folders be subdirectories of the
> DocumentRoot or should Apache never be able to write any file it could
> potentially serve?

it does not matter at the end of the day

in a perfect world you even have no phpincludes below the docroot
in most environments it will not be possible to do sou for some
hundret vhosts

>> in the best case *any* available permission system denies *anything* which is
>> not needed for normal operations and if you need to allow whatever you need
>> to do this for all possible involved subsystems - from security point of view
>> it's easy. if one of the subsystems fails or is configuerd unsafe like
>> "chmod -R 777" the other one makes this mindless acting less critical
>>
>> in doubt there is not "this or that is better", in doubt you want as much
>> security layers as possible: iptables, mod_security, filesystem perms and
>> as last resort SELInux - they are finally adaptive and depending on whatever
>> a bad guy try to do on a server different layers may stop him, in the best
>> case the first and finally the last ressort
> 
> In general, I understand layered security and the principle of least privilege.
> It's just that Tim's statements:
> 
>   If it's possible for Apache to write to the webspace, because it's foolishly
>   owned by the apache user, your system is just ripe for being exploited.

the document root itself is not the real problem

the problem is that a fool gives apache write-permissions to php-scripts
and the smallest security hole after that can place code in your application

well, put bad code in new files inside the document root by the
wep-application and send phishing mails to the URL is not that fine

that is why any web-application written with brain has it's templates,
caches, temporary files in folders which are the only writeable by the
webserver and enforces rules *never ever* deliver anything from
these directories to a borwser (.htaccess, <Directory..>)

and if possible includes are also in a seperated folder *not* directly
accessable by a client, outside the docroot or access to the folder denied
is a implementation detail which does not matter

> and:
> 
>   For those things that need write access to the files (such as web
>   blogging where the author will add to the blog by writing through the
>   webserver, or a plethora of other web services), then some other method must
>   be used than chowning them to apache.
> 
> leave me wondering what that "other method" would be.

the above makes *no sense*

if the question is "apache needs to write" it doe not matter
if it's owner, group or everybody-RW access

> In other words, if a "plethora of other web services" require write access to
> the webspace then there must either be commonly used methods to securely provide
> that functionality or a plethora of systems that are "just ripe for being
> exploited".  If it's the former, I want to know what those methods are.

put files where the application needs write access in seperate folders
if the application needs RW access everywhere throw the broken application
away because broken-by-design is not fixable

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux