Am 14.09.2013 21:42, schrieb Matthew J. Roth: > Reindl Harald wrote: >> >> it's not a matter of the distribution set permissions wise and only >> allow the apache user write access where it is really needed >> >> teh document root is *not* such a place >> temp/cache folders of a web-application are > > For clarification, can the temp/cache folders be subdirectories of the > DocumentRoot or should Apache never be able to write any file it could > potentially serve? it does not matter at the end of the day in a perfect world you even have no phpincludes below the docroot in most environments it will not be possible to do sou for some hundret vhosts >> in the best case *any* available permission system denies *anything* which is >> not needed for normal operations and if you need to allow whatever you need >> to do this for all possible involved subsystems - from security point of view >> it's easy. if one of the subsystems fails or is configuerd unsafe like >> "chmod -R 777" the other one makes this mindless acting less critical >> >> in doubt there is not "this or that is better", in doubt you want as much >> security layers as possible: iptables, mod_security, filesystem perms and >> as last resort SELInux - they are finally adaptive and depending on whatever >> a bad guy try to do on a server different layers may stop him, in the best >> case the first and finally the last ressort > > In general, I understand layered security and the principle of least privilege. > It's just that Tim's statements: > > If it's possible for Apache to write to the webspace, because it's foolishly > owned by the apache user, your system is just ripe for being exploited. the document root itself is not the real problem the problem is that a fool gives apache write-permissions to php-scripts and the smallest security hole after that can place code in your application well, put bad code in new files inside the document root by the wep-application and send phishing mails to the URL is not that fine that is why any web-application written with brain has it's templates, caches, temporary files in folders which are the only writeable by the webserver and enforces rules *never ever* deliver anything from these directories to a borwser (.htaccess, <Directory..>) and if possible includes are also in a seperated folder *not* directly accessable by a client, outside the docroot or access to the folder denied is a implementation detail which does not matter > and: > > For those things that need write access to the files (such as web > blogging where the author will add to the blog by writing through the > webserver, or a plethora of other web services), then some other method must > be used than chowning them to apache. > > leave me wondering what that "other method" would be. the above makes *no sense* if the question is "apache needs to write" it doe not matter if it's owner, group or everybody-RW access > In other words, if a "plethora of other web services" require write access to > the webspace then there must either be commonly used methods to securely provide > that functionality or a plethora of systems that are "just ripe for being > exploited". If it's the former, I want to know what those methods are. put files where the application needs write access in seperate folders if the application needs RW access everywhere throw the broken application away because broken-by-design is not fixable
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org