[sllug-members]: HTTP Directory Permissions Best Practices

Lamont R. Peterson lamont at gurulabs.com
Wed Sep 20 11:47:33 MDT 2006 

On Wednesday 20 September 2006 10:49am, Andrew Johnson wrote:
> > > My /home directory is chmod 705, which means it's writeable to me,
> > > invisible to anyone else in the "users" group, and readable to Apache.
> > > That's important because obviously Apache needs to be able to access
> > > the files to serve them.
> >
> > Mode 705 is unnecessary and not safe.
>
> What do you mean by "not safe"?  I've never heard of using a mode with
> more permissions on everyone than on group.  I always assumed that if
> the other byte is 7, the user and group bytes don't matter--that
> everyone has access.

No.  There are a couple of odd UNIX variants that actually do behave this way, 
though, I don't recall which ones.  This is what I'll call the "everyone" 
behavior for file permissions.

Every process on a UNIX/Linux system runs as a particular user and group.  
When a process asks the kernel to open a file handle to a file, the kernel 
has to find the right set of permissions to use in order to make the decision 
to allow or deny the requested access.  It does this (I'm only going to cover 
the standard rwx bits here, ignoring attributes and such) by:

1.  Comparing the UID the process is running as to the UID that owns the file 
in question.  If they match, the 3 user (sometimes called "owner") permission 
bits are used and we skip to step 4.  If they do not match, go to step 2.

2.  Comparing the GID the process is running as, plus the list of groups the 
process is holding that the user account belongs to, to the GID that owns the 
file in question.  If they match, the 3 group permission bits are used and we 
skip to step 4.  If they do not match, go to step 3.

3.  Use the 3 other (sometimes called "world") permission bits are used.  Go 
to step 4.

4.  Make the decision with the one set of bits.

That is what I'll call the "other" behavior for file permissions, and is what 
almost all UNIX variants do, along with the BSDs and Linux.

> If a user is a member of a file's group that has 
> no group permissions, but the file has wide open "other" access,
> should the user be able to access the file?

Nope.  Access will be denied.

> A quick check seems to indicate that this does work,

What?  Trying that on a dozen different distributions/versions around here 
shows that that doesn't work.  How did you do your "quick check"?

> but can it be 
> counted on?

Yes, you can count on "other" behavior on Linux and almost all UNIX variants.

> Does it have to be the primary group,

Nope.

> or just any group  
> the user happens to be a member of?

Yes.

However, to answer your first question, 'What do you mean by "not safe"?', I 
will use this simple analogy to illustrate one of the basic security 
principles I'm referring to:

If you have two pathways for getting through security [a], one is high 
security [b] and another low security path [c], which one do you think an 
attacker [d] will use to try to get past your security?  If you said, "The 
low security path," then pat yourself on the back.

[a] Like at an airport.
[b] Like the normal screening process at the airport.
[c] Like the ridiculously flawed ideas TSA and the airlines have for 
a "Trusted Traveler" program; I've written about this in my personal blog at 
[ http://blog.openbrainstem.net/peregrine/ ] if you'd like to read more.
[d] Like a terrorist bent on taking a plane hostage (or worse).

By using mode 705 on your home directory, an attacker is going to try to use 
an account that is going to have "other" access.  I said, "not safe," because 
I'm not willing to make that particular compromise.  Perhaps you are, or 
perhaps Jeff is.  To put it another way:

"There is no such thing as true security."

"There has to be!"

"Nope."

"Well, then what is security all about?  How could there be all the people 
working on security if it isn't real?"

"Security is about managing risk.  If your risk tolerance threshold is lower 
than the current level, you are insecure and will feel insecure once you know 
that this is the case.  It doesn't matter if your risk tolerance threshold is 
higher or lower than mine, either.  I have to decide for myself what I'm 
comfortable with."

Once one understands that concept, it's much easier to understand and 
categorize the various risks and practices.  Many might look at the measures 
that I take and say, "That's just too paranoid for me,"  and that's OK.  But 
I'm still going to do what I need to to keep my risk level below my tolerance 
threshold.

A better approach for Jeff's situation would be to use mode 701 on the home 
directory, as that's all Apache will need.  Just be sure that "public_html" 
(or whatever you call it) has a mode that let's Apache do whatever you want 
(like read-only or read/write).
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]

NOTE:  All messages from this email address should be digitally signed with my
       0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
       well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060920/aaaca495/attachment.pgp

More information about the sllug-members mailing list