The FastCGI Caveat: Web Server Secrets, Part 7
Many servers run their PHP and CGI scripts precisely as I describe above. That is, you and your script are two entirely different persons, so far as file ownership is concerned.
But… what if your script pretended to be you? Wouldn’t that simplify things? Of course it would. Never again do you have to worry about those subtleties of file ownership. What’s yours is yours, and what’s the script’s is yours too.
But… how does the script become you? That’s a very tricky thing to do in Unix or Linux. What’s important here, is for you to know when this is happening. Why is it important? Because it makes such a tremendous difference to how you set up your file permissions.
Okay, so you need to know if your scripts become you, or not. How do you find out? That’s easy – you ask your server admin. What’s difficult, is knowing what question to ask. There is no single correct question to ask! Like I said, this is a tricky issue in Unix and Linux, and therefore truly cool.
Ask Your Server Admin
Try asking the question this way: If I upload a file a file for my PHP or CGI script to edit, does the file need to have 644 permission, or 666 permission? Unfortunately, your admin might miss the point of the question. So, at the same time, ask this second question: If my CGI script creates a file, is that file owned by my ftp user id, or is it owned by the Apache server’s user id? If your admin has no idea what you’re asking, consider that a clue.
This bit of trickiness has a number of different names in Unix and Linux; the most common are SuExec and CGIWrapper. For PHP scripts, this is an option of FastCGI. All of these mean that your PHP or CGI script pretends to be you. Read more…
Categories: Web Site Security Tags: apache security, linux file permissions, linux security, unix file permissions, unix security, web site security
The Main Event: Web Server Secrets, Part 6
Let’s look back at the important points before we proceed to the main event. You’d be amazed at how many server admins don’t really understand the stuff you’re wading through here!
Interlude
For a PHP or CGI script to find, create, delete, or move files, the script needs suitable directory permission. This usually means that if the script is doing stuff in the directory, the directory permission needs to be set to 777. If stuff is mysteriously failing to happen, make sure the directory is where the script thinks it is, and that it’s set to 777.
For a CGI script to be treated as a script, the script itself needs execute permission, i.e., 755.
If a file needs to be updated (e.g., a data file), the file must be owned by the script, or have 666 permission. If a file needs to be created, it’s the directory which must have 777 permission. If the script creates the file, the script owns the file, so the actual file permission won’t be an issue (until we hit the main event!).
If you need to make all of your files and directories script-accessible, log into your server via telnet or ssh, and execute the following command: Read more…
Categories: Web Site Security Tags: apache security, linux file permissions, linux security, unix file permissions, unix security, web site security
The Problem of Script-Generated Files: Web Server Secrets, Part 5
Until now, everything works exactly as you’d expect. You create and upload your files; surfers surf them; all is well. Until, that is, you install a PHP or CGI script.
Still the Shared Departmental Thinking
Again, you need to think of your server as a shared departmental computer. Do you want your colleagues to be able to trash your files any time they have a mind to? Of course not. What about the ones who are not your colleagues? Do you want to allow anyone who has an account on that computer, to edit your personal files? Probably not.
On today’s servers, this might sound silly. Especially on a dedicated virtual server, where the only person there is you. On a shared server, security is tight. Most people are limited to ftp access, and they wouldn’t know how to find your files if they wanted to.
What’s important is the mind set. If you think like the departments did a generation ago, you’ll see what I’m getting at. Do you want the world at large to be able to overwrite your files?
Yes, actually, you do! Read more…
Categories: Web Site Security Tags: apache security, linux file permissions, linux security, unix file permissions, unix security, web site security
Apache Server Account: Web Server Secrets, Part 4
Each file or directory, then, has three permissions (rwx) each, for the file owner (user), group, and others. That’s why a Unix or Linux directory listing shows three sets of permissions:
- drwxrwxrwx for a directory, and
- -rwxrwxrwx for a plain file.
drwxr-xr-x 4 genealogist users 4096 Mar 30 19:24 . drwx------ 5 genealogist users 4096 Mar 30 19:20 .. drwx--x--x 2 genealogist users 4096 Mar 30 19:23 cgi-bin -rw-r--r-- 1 genealogist users 8 Mar 30 19:21 .htaccess -rw-r--r-- 1 genealogist users 747 Mar 30 19:21 index.html -rw-r--r-- 1 genealogist users 32 Mar 30 19:23 main.html drwxrwxrwx 2 genealogist users 4096 Mar 30 19:24 members
Three Digits
Unix is all about abbreviations. Vowels are never used when something unpronounceable will do. The first letter will often be used in lieu of the entire word. cp stands for copy, od stands for octal dump (but is what you use for hex dump as well), yes stands for you’re going to be sorry you asked. Read more…
Categories: Web Site Security Tags: apache security, linux file permissions, linux security, unix file permissions, unix security, web site security
File Permissions: Web Server Secrets, Part 3
This does not come anywhere close to being a complete explanation of Unix/Linux file permissions. We are only covering the basics you need to deal with your server!
Directory and rwx Permissions
Unix/Linux file permissions are Read, Write, and Execute, abbreviated r, w, and x. The lack of a certain type of permission is shown with a dash. So, rwx means read, write and execute permission, and rw- means read and write permission but not execute.
“Directory” means the same thing as “folder.” However, with Unix and Linux they’re always called directories. How do you know if it’s a directory or an ordinary file? On the file listing, there will be a d in the left margin just before the file permissions list. In the below example, I highlighted the directlry lines. The first three items are directories, and the last item is a directory. A dash means it’s a plain file. Anything other than d or – means your ftp program might get confused.
drwxr-xr-x 4 genealogist users 4096 Mar 30 19:24 . drwx------ 5 genealogist users 4096 Mar 30 19:20 .. drwx--x--x 2 genealogist users 4096 Mar 30 19:23 cgi-bin -rw-r--r-- 1 genealogist users 8 Mar 30 19:21 .htaccess -rw-r--r-- 1 genealogist users 747 Mar 30 19:21 index.html -rw-r--r-- 1 genealogist users 32 Mar 30 19:23 main.html drwxrwxrwx 2 genealogist users 4096 Mar 30 19:24 members
Unix and Linux directory permissions look the same as file permissions, but they are not the same! Directories have r, w, and x permission just like files… but r, w, and x don’t mean the same thing! Unfortunately, this means we need to look at r, w, and x one item at a time. Read more…
Categories: Web Site Security Tags: apache security, linux file permissions, linux security, unix file permissions, unix security, web site security
File Ownership: Web Server Secrets, Part 2
Let’s start with perhaps the trickiest concept of all – file ownership.
I’m sure you’re too young to recall this, but back in the mid 20th century, there was something known as a typewriter. A typewriter typically had one owner – that is, any specific typewriter was only used by one person.
In the same way, your laptop or desktop computer is probably a single-user machine. You don’t need to worry about working around or interfering with somebody else’s files. You might worry about people snooping, but that’s a different issue. Generally speaking, each person has his or her own personal computer.
Departmental Computing
There was, of course, a gap between everyone (or everyone’s secretary) having a typewriter, and everyone having their own personal computer. We had computers, but they were shared. On a small to medium scale, we had departmental computers. Each person had their own account. Same computer, different accounts, just like your local bank. That’s how we kept things separate.
That’s when Unix came to be. Unix evolved on medium-sized computers, in universities and research laboratories. Same computer, different accounts. Therefore, the idea of ownership became extremely important. Every file, every transaction is owned by somebody, and who that somebody is, makes a difference as to how that transaction is handled. Later, when Linux came along, Linux took on precisely the same concepts of file ownership. Read more…
Categories: Web Site Security Tags: apache security, linux file permissions, linux security, unix file permissions, unix security, web site security
Web Server Secrets, Part 1: About This Series of Articles
I wrote this series under the title Server Secrets more than a decade ago. I wrote this article as a means of gaining credibility while investigating groups of pay site hackers. I published my results as How to Hack a Pay Site and I Can Hack You.
By time my articles were published, I was “sysadmin” for various hackers’ boards, and amongst at least one “elite” circle. When my investigations were published, I was thrown out of everywhere, of course, though one hacker in Denmark wrote to tell me he’d been laughing for days. He was very impressed!
Internet Billing Companies Learned
Two internet billing companies did change their software as a result of my published investigations and techniques. Read more…