0

I have a centos 5.8 VPS which is running mod_php rather than fastcgi which i'm used to on shared hosting, and I've run in to the problem that various bits of php intended to write to files need those files to be world writable. The files that are written are like the database for the website, and the rss xml. This isn't secure, is it? What should I do to make it secure?

Jay
  • 902
  • 2
  • 12
  • 27

2 Answers2

0

Who has access to this machine? In other words, who is "world" in this scenario? If it is only you, then you don't have anything to worry about, do you?

However, if this system is shared with other people, do you trust all of the admins? If you don't, there's very little you can do to protect your files.

If it is other non-admin users on the system that you are worried about, then you do not want to make your database world-writable. If you cannot write to those files, then the process writing to them (mysql, apache, etc) is running as the wrong user. Preferably, you'd want your files to be owned by the same user as those processes are running under - but only if you can trust that user! If you can't, then you're probaby straight out of luck.

Enno
  • 1,736
  • 17
  • 32
  • So world-writable doesn't in any way apply to random people on the internet - they can't modify the contents of a world writable text file for example without being logged in either as a user of the system or something like FTP? That's a great relief! While the hosting company admin would have access it's only the site's user's I'm worried about editing and executing modified data. – Jay May 19 '12 at 00:07
  • 1
    The filesystem concerns itself only with users that have an account on the system that you are hosting on. Random people on the internet (like me!) cannot log in, so they aren't per se your problem. that's unless you have a much bigger problem on that machine, where a process is vulnerable to executing arbitrary code on behalf of whatever user is runnin it. If I can figure out how to gain shell access through a security bug in PHP or anything else, then I can make that do anything I want, especially to world-writable files. But the way to avoid that is to not run unpatched old software. – Enno May 19 '12 at 22:40
0

Is this "database" files plain-text or in tags? If they are plain-text, anyone can read them by just pointing to them. This is information exposure at least.

I don't know the code and the design of the application, but in same cases could cause other problems.

Adam Fili
  • 463
  • 2
  • 9
  • There are three types of files I'm worried about, php scripts, an rss formatted xml file and a plain text file - just trying to make sure world-writable doesn't mean anyone on the internet can edit the files or upload files to world writable directories for instance. – Jay May 19 '12 at 17:21
  • You don't have to afraid for that, except if there is a bug, -an unexpected feature- in the php scripts. – Adam Fili May 19 '12 at 17:25