Mailing List Archive: Apache: Users

Apache Security Problem

Index | Next | Previous | View Threaded

andre.huebner at gmx

May 14, 2008, 7:31 AM

Post #1 of 6 (162 views)
Permalink

Apache Security Problem

Hi List,

System: Suse 10.1, Apache 2.2.8

it seems that i have a security problem with script-created symlinks.

I have a little php-script that creates with symlink(); a symbolic link to
other file of other user.
when starting this script as nonroot using php-cli it is successful only if
chmod of targetfile is high enough (world-readable) i can view files.
Now the problem, content of symlinked file is visible when viewing by
http-request http://example.com/linkname

background ist that i provide php-modul as well php-cgi. Homefolder of users
are chowned to user.nogroup to grant reading for apachegroup. chmod of every
home is 750, this stops normal reading with fopen etc. files within the
userhome are chowned to user.user and there should be a world readable flag
for apache. but this makes files readable when symlinked.

I think i cannot stop the creation of "dead" symlinks by any scriptlanguage.
I could set Option +SymLinksIfOwnerMatch but i grant allowOverride All in
httpd.conf and i had to deactivate whole Option-Group.
Just activating SymLinksIfOwnerMatch with no chance for users to deactivate
should be the best in my case.
Someone with know-how to this issue? Or are there ohter ways to ensure
security?

Thanks Andre

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

joshua at slive

May 14, 2008, 12:41 PM

Post #2 of 6 (150 views)
Permalink

Re: Apache Security Problem [In reply to]

On Wed, May 14, 2008 at 10:31 AM, Andre Hübner <andre.huebner[at]gmx.de> wrote:
> Hi List,
>
> System: Suse 10.1, Apache 2.2.8
>
> it seems that i have a security problem with script-created symlinks.
>
> I have a little php-script that creates with symlink(); a symbolic link to
> other file of other user.
> when starting this script as nonroot using php-cli it is successful only if
> chmod of targetfile is high enough (world-readable) i can view files.
> Now the problem, content of symlinked file is visible when viewing by
> http-request http://example.com/linkname
>
> background ist that i provide php-modul as well php-cgi. Homefolder of users
> are chowned to user.nogroup to grant reading for apachegroup. chmod of every
> home is 750, this stops normal reading with fopen etc. files within the
> userhome are chowned to user.user and there should be a world readable flag
> for apache. but this makes files readable when symlinked.
>
> I think i cannot stop the creation of "dead" symlinks by any scriptlanguage.
> I could set Option +SymLinksIfOwnerMatch but i grant allowOverride All in
> httpd.conf and i had to deactivate whole Option-Group.
> Just activating SymLinksIfOwnerMatch with no chance for users to deactivate
> should be the best in my case.
> Someone with know-how to this issue? Or are there ohter ways to ensure
> security?

I'm a little confused by exactly what problem you are trying to solve.
Am I right that you could do exactly the same thing by just having
your CGI script copy the relevant file into the webspace rather than
using a symlink?

If so, then this is just the standard issue with privilege separation
that is discussed here:
http://wiki.apache.org/httpd/PrivilegeSeparation

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

andre.huebner at gmx

May 15, 2008, 12:36 AM

Post #3 of 6 (148 views)
Permalink

Re: Apache Security Problem [In reply to]

Hi,

> I'm a little confused by exactly what problem you are trying to solve.
> Am I right that you could do exactly the same thing by just having
> your CGI script copy the relevant file into the webspace rather than
> using a symlink?

> If so, then this is just the standard issue with privilege separation
>that is discussed here:
> http://wiki.apache.org/httpd/PrivilegeSeparation

>Joshua.

sorry, I think i verbalized not clear enough. ;)
essence is following: The way of creating a symlink is irrelavant. In Most
cases this is a script, but symlink is also creatable by just unpacking a
archive with symlinks that points to other users files.
Symlinks are very flexible and can even point to itself. A symbolic Link in
Filesystem is always created even if target has to less permissions or is
not existent. In this cases the link is just dead for the cgi-user that
created it. But Link is not dead for apache user. If we think that other
file is readable for apache cause is part of website than apache serves
content of other users file. Apache seems in this case just to check if
source and target of symlink is readable for apacheuser and serves file if
is so. I can decrease chmod of targetfile but if it also should be servered
by apache the group of the file have to be apchegroup and we have the case
that ist still readable.
I cannot stop creating symlinks by script or other ways. I could activate
SymLinksIfOwnerMatch but user could change this with own .htaccess cause i
grant AllowOverride All in httpd.conf
Decreasing of AllowOverride Level to remove Options-Group is realy big step
cause it would remove also further helpful things
http://httpd.apache.org/docs/2.2/en/mod/core.html#options
Hmm, best way would be to activate SymLinksIfOwnerMatch without removing
whole Options Directive.

Now i have:

<Directory "/my/path">
AllowOverride FileInfo AuthConfig Limit Indexes
Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch
</Directory>

and symlinks to other users files are not permitted. But on the other hand
every .htaccess which uses Options, php_flag, php_value directive (may be
more) runs into 500 Error :(

Andre

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

joshua at slive

May 15, 2008, 6:51 AM

Post #4 of 6 (144 views)
Permalink

Re: Re: Apache Security Problem [In reply to]

On Thu, May 15, 2008 at 3:36 AM, Andre Hübner <andre.huebner[at]gmx.de> wrote:

>
> sorry, I think i verbalized not clear enough. ;)
> essence is following: The way of creating a symlink is irrelavant. In Most
> cases this is a script, but symlink is also creatable by just unpacking a
> archive with symlinks that points to other users files.
> Symlinks are very flexible and can even point to itself. A symbolic Link in
> Filesystem is always created even if target has to less permissions or is
> not existent. In this cases the link is just dead for the cgi-user that
> created it. But Link is not dead for apache user. If we think that other
> file is readable for apache cause is part of website than apache serves
> content of other users file. Apache seems in this case just to check if
> source and target of symlink is readable for apacheuser and serves file if
> is so. I can decrease chmod of targetfile but if it also should be servered
> by apache the group of the file have to be apchegroup and we have the case
> that ist still readable.
> I cannot stop creating symlinks by script or other ways. I could activate
> SymLinksIfOwnerMatch but user could change this with own .htaccess cause i
> grant AllowOverride All in httpd.conf
> Decreasing of AllowOverride Level to remove Options-Group is realy big step
> cause it would remove also further helpful things
> http://httpd.apache.org/docs/2.2/en/mod/core.html#options
> Hmm, best way would be to activate SymLinksIfOwnerMatch without removing
> whole Options Directive.
>
> Now i have:
>
> <Directory "/my/path">
> AllowOverride FileInfo AuthConfig Limit Indexes
> Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch
> </Directory>
>
> and symlinks to other users files are not permitted. But on the other hand
> every .htaccess which uses Options, php_flag, php_value directive (may be
> more) runs into 500 Error :(

You can do restrictions of particular options using the technique shown here:
http://httpd.apache.org/docs/2.2/howto/htaccess.html#how

But I have a feeling that there are other ways around your separation.
It depends on exactly the details of how you are running your scripts.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

andre.huebner at gmx

May 18, 2008, 11:53 PM

Post #5 of 6 (109 views)
Permalink

Re: Apache Security Problem [In reply to]

Hi,

>>You can do restrictions of particular options using the technique shown
>>her=
>>e:
>>http://httpd.apache.org/docs/2.2/howto/htaccess.html#how

>>But I have a feeling that there are other ways around your separation.
>>It depends on exactly the details of how you are running your scripts.

>> Joshua.

I only can repeat. The way how to create the symlink is irrelevant. With
Scriptingtechniques no reading of the files of other user is possible.
(openbasedir/permission denied etc.) Creating "dead" symlinks is allowed and
cant be forbidden.
Only Apache has read privileges. example.com/file.txt shows php-source if
symlink is: ln -s /path/to/otheruser/config.php file.txt
Symlink could be created by every CGI-Application like php/perl etc.Notice
that AllowOverride All is activated by default.
It would be useful if SymLinksIfOwnerMatch could be activated separatly and
not be bypass by user .htaccess in SubFolders.

I changed now apache-source. (2.2.8) In server/core.c (1315, 1439) i
changed function call from OPT_SYM_LINKS to OPT_SYM_OWNER
So every time when apache hits a symlink it is testet for correct ownermatch
and could not bypass by the user. Should be the best in my cast just
without to deny whole bunch of Options.
Im not a C-Programmer so i would be happy if someone could confirm that my
changes are not risky etc.

Thanks
Andre

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

sgifford at suspectclass

May 30, 2008, 7:50 AM

Post #6 of 6 (70 views)
Permalink

Re: Re: Apache Security Problem [In reply to]

Andre Hübner <andre.huebner[at]gmx.de> writes:

> Hi,
>
>>> You can do restrictions of particular options using the technique
>>> shown her=
>>>e:
>>>http://httpd.apache.org/docs/2.2/howto/htaccess.html#how
>
>>>But I have a feeling that there are other ways around your separation.
>>>It depends on exactly the details of how you are running your scripts.
>
>>> Joshua.
>
> I only can repeat. The way how to create the symlink is
> irrelevant. With Scriptingtechniques no reading of the files of other
> user is possible. (openbasedir/permission denied etc.)

On most Apache configurations, a script written by any user can read
any files that Apache can read. It runs as the Apache user (usually
apache or httpd), and can read any files accessible to that user.

If you're running something like suEXEC, though, you're right that the
symlinks will be accessed with a different user than scripts, and
could provide access to files they would not otherwise have access to.
Hopefully one of the other suggestions in this thread has allowed you
to restrict symlink following without breaking your .htaccess files.

Good luck!

-----Scott.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com