Date: Fri, 30 Apr 2004 05:30:15 +0000 From: Mikkel Christensen <mikkel@talkactive.net> To: freebsd-questions@freebsd.org Subject: Re: Suexec with Apache 1.3.29 Message-ID: <200404300530.15942.mikkel@talkactive.net> In-Reply-To: <6.0.0.22.0.20040429160121.136e6220@pop.face2interface.com> References: <200404262126.36157.mikkel@talkactive.net> <200404291954.04559.mikkel@talkactive.net> <6.0.0.22.0.20040429160121.136e6220@pop.face2interface.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 29 April 2004 20:16, you wrote: > At 03:54 PM 4/29/2004, Mikkel Christensen wrote: > > >But lets face it, if you have many users on your webserver some will do so > >occasionally (eg. many users take advantage og fora like PHPBB and PHPNuke > >which stores the database password in cleartext). And when they do you > >will have to deal with the mess as the administrator. > > I don't know those in particular though I've heard of them. Am more a > developer than sysadmin. > > Unfortunately stuff happens. PHP isn't going to run under suexec though so > how is this relevant? Try imagine this setup: You have one user (user A) running PHPNuke with his password stored in cleartext somewhere at his webhotel You have another user (user B) running cgi at his webhotel at the same machine. User A hasn't given his importene files the right permissions. User B can now make a Perl script that reads User A's files and will then gain access to user A's secret password to the database. Lets say that this isn't just PHPNuke but a webshop he made himself. Then the database is more sensitive but just as easy to compromise. Actually this guy made a patch which should run PHP under suexec: http://www.localhost.nl/patches/ I haven't tried it though. > > >Also the problem when running a webserver with many users you don't know > >is to get them to use the right permissions. > > Hmm, people very commonly drive cars which have precise rules for driving, > and rules of the road for driving in community. Yet we don't witness > accidents every hour at every intersection. Why? IMO it's because the > average person has a healthy sense of survival and the intelligence to > learn reasonable care. Of course bad drivers have burdensome insurance > costs to weight against their poor driving records. What > incentive/education do bad hosting customers have? > I don't know how things are going in other countrys but in Denmark everybody must have their own webpage (now by law but most people feel this way). People with little og no knowledge at all are building webpages about their kids, their dog and themselfes. I can't really blame them. They would like to get themself represented on the internet and companys Microsoft makes this easy by providing WYSIWYG editors like frontpage. How should these people know about the underlying rules of permissions of a unix server and other stuff they have never heard of? Since the internet isn't for experts only some should provide a safe sollution for those who don't know about security. I don't know if you should demand the average user to know the difference between windows and unix webservers(and all the other stuff) and how to act properly upon these differences. I gess we are going a little off topic here:) > >All this suexec does no good if the users apply chmod 777 (and trust me > >some do!) to all their files:( > > I'd argue that the web, like driving, isn't for everyone. /It is/ for > everyone willing to learn and apply the rules of the road. People have been > sold the concept that they can get cheap or free hosting, cheap or free web > design (perhaps by a niece or friend's computer genius kid) and make $$ > sitting at home checking their email. This has led to cheap computers with > often horrendous technical support and minimal QA at the factory, > ridiculously simple minded security holes at gazzillions of urls, and a > relatively small percentage of decently made and easy to use sites, with an > even smaller percentage making at least a little bit of money. > Where I live in Denmark people aren't making webpages because they believe they are going to be rich. Most of them simply wants to be represented on the internet. Also people expects that if they have seen a product in a commercial they will be able to seek additional information on the companys homepage. Result is people are afraid of not being searchable on the internet and therefore builds numerous webpages though they might know nothing about how stuff works. And I can understand that. I guess this leeds to trouble in some ways. But again, it should be somehow possible to provide a safe product for these people. Could it somehow be possible to force minimum permissions? Like no levels higher than 744 for instance? - Mikkel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404300530.15942.mikkel>