0

The Perl script

I have a Perl script running on an old Debian 6 server (until I move to a new server) that opens an editable pane in an .shtml file, accepts only Creole markup input from a single user, and writes to two user-editable .shtml files and makes a backup copy of each when saving the edited .shtml file. The .shtml file permissions are 606 or -rw----rw-.

After editing, the non-tech-savvy user has to enter a password to trigger the script, and (in the unlikely event that he'd ever do this) 'script' tags come out in plain text.

Before switching servers these used to run under suEXEC (which I did not set up and don't want to use), but they now need the permissions change to run.

The writable files

The two editable .shtml files are SSI with the virtualHost block set to IncludesNoExec.

There is no .htaccess file in the user's public_html directory, the only other user only ever makes simple HTML edits and has no other knowledge, I manage the scripts in the cgi-bin above the public_html folder, and all files in the user directory are owner/group username.

My questions, taking into account the above:

  1. is there anything I should beware of if the files permissions are 606/-rw----rw-?
  2. what else could I do to further secure such an old Debian server for now?

I've considered changing the server port from 22 to something much higher, which I've done on another server, but for a couple of sites running on this old one I have no access as yet to their DNS or remote login settings, so it isn't yet an option. Like many people, I'm not really a server admin, but have to maintain things as my co-dev died.

Dave Everitt
  • 201
  • 1
  • 4
  • 11
  • 2
    Why 606. I confess that makes no sense to me. It implies owner and everyone can read and write the file, but tries to exclude people in the same group. Wouldn't you be better off with 661 and having people who can write the file in the group (which should exclude the web user) – davidgo May 23 '20 at 20:47
  • It is a bit illogical, but I was testing by reducing permissions to the absolute minimum (down from “permissions of the beast” 666). Not sure the script runs without the final (world writable) bit being anything less that 6, and the SSI is set to noexec. But I’ll try and see. 662 might work too. – Dave Everitt May 24 '20 at 07:29
  • To calculate the permissions for each of owner (100's), group (10's) and other (singles) are read (4), write (2) and exec (1) and are added. The web server will only need read, so 4. There is no point in having a 2, as that means can write but can't read. – davidgo May 24 '20 at 08:25
  • it's back to 666. World only needs to write, not execute, and I have 'noexec' on the SSI. My question is more concern about the implications of "world-writable"… on an .shtml file – Dave Everitt May 24 '20 at 11:18
  • You don't want it world writable. – davidgo May 24 '20 at 19:25
  • @davidgo that was my concern, but what exactly are the security issues, given the setup? – Dave Everitt May 24 '20 at 22:40
  • 1
    Someone finds a way to write the file and change its contents. This could be done by anyone with an account on the system or if there is something on the web server which can be exploited to overwrite/change the contents of the file. Its not necessarily a large risk. – davidgo May 24 '20 at 23:19
  • @davidgo I know all the people with access, but the old system has vulnerabilities, which is where my concerns lie. In that case, I’m trying to find ways of securing Debian 6, which is a different question, I suppose. – Dave Everitt May 25 '20 at 08:28

1 Answers1

1

The most important questions are:

  • who runs the script?
  • who can modify the script?

From your description it looks like the app is an HTML form and your program is a CGI script. So that script is launched by the HTTP server daemon user when the user clicks on the Submit button.

In case of compromission of this CGI script or an other one, you do not want your script to be modified. So the script must be read+exec only by the HTTP daemon user, and the owner of the file must be another user so the daemon user can't change the permission.

The .shtml files must be read+write by the daemon and also not owned by the daemon. The script must never delete them and instead just rewrite their content.

The directories where the script and the .shtml files are stored must not be writable nor owned by the HTTP daemon user.

dolmen
  • 138
  • 4
  • Nice clear answer. The "daemon user": would that be "www-data" in the case of a CGI script being executed from a website? I have some scripts that work only when group is www-data and owner is the same as the website user. – Dave Everitt Sep 07 '20 at 10:10