Stop Execution of Dynamic Files with less than X Perms
- Thread starter NC-Designs
- Start date
please be more specific about the issue, so that we can reproduce it at our lab.
When a customer uploads a file, for example this.php firstly it does not even have to be chown'd to the user to work. So for example, the user can run a file under their directory that has root:root user preferences.
Secondly, I have found that a user can often still execute a php file even when the permissions are set to 0700 (chmod)
did tests on our lab. in php suExec mode, lsphp5 run as user's username, if the php script is readable by this user, then it'll be executed.
for example,
it's owned by root, but readable by other users. so this script can be read by lsphp5 and executed. assume this script is under /home/john/public_html(so lsphp5 running as "john")
for example,
#ls -l a.php
-rw----r-- 1 root root 61 Aug 9 12:17 a.php
-rw----r-- 1 root root 61 Aug 9 12:17 a.php
did tests on our lab. in php suExec mode, lsphp5 run as user's username, if the php script is readable by this user, then it'll be executed.
for example,
it's owned by root, but readable by other users. so this script can be read by lsphp5 and executed. assume this script is under /home/john/public_html(so lsphp5 running as "john")
for example,
it's owned by root, but readable by other users. so this script can be read by lsphp5 and executed. assume this script is under /home/john/public_html(so lsphp5 running as "john")
as long as the file owned by root is readable by a user, that user can view the content of the file, it is standard Linux/Unix File System permission.
Someone got hold of it's location and executed it repeatedly flooding his customers with thousands of emails.
What about when permissions are 700? The remote user can still access and execute the content?
for example,
#ls -l a.php
-rwx------ 1 user1 user1 61 Aug 9 12:17 a.php
-rwx------ 1 user1 user1 61 Aug 9 12:17 a.php
however, only user1 can access and execute a.php, but user2 etc can't.
Now if someone on the internet requests the test.php even with permissions 700, it still executes.
assume the url is domain.com/test.php, and php suExec enabled.
and under user "filetest"'s document root: /home/filetest/public_html
when anyone in the internet access domain.com/test.php
lsphp5 will run as user "filetest", pick up test.php and execute it.
this is normal -- "filetest" is the owner of test.php
Okay, thanks. Although I think in future updates of LiteSpeed maybe this should be secured? Similar to your static file permission setup you have there should be one for dynamic files. When it is running as 700, only the owner should be able to run it (For example in cronjobs) but not global users simply visiting the site.
After looking into this further, LiteSpeed has many differences to Apache with suPHP that I believe Litespeed should adopt. suPHP is known for it's security and so should Litespeed.
Firstly, LiteSpeed should support mod_sec better.
Secondly, the user requesting the file (The one visiting the site) should be nobody completely regardless of whether suExec is enabled or not. The user requesting should be nobody and the owner should be the username. This way, should the user set their file permissions to not be readable by others (For example 700), it cannot be executed. Can the second change at least please be implemented? It reduces the overall security of a shared server by miles.
Firstly, LiteSpeed should support mod_sec better.
Secondly, the user requesting the file (The one visiting the site) should be nobody completely regardless of whether suExec is enabled or not. The user requesting should be nobody and the owner should be the username. This way, should the user set their file permissions to not be readable by others (For example 700), it cannot be executed. Can the second change at least please be implemented? It reduces the overall security of a shared server by miles.
Last edited: