Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

Isn't this a Security Threat?

(Page 1 of 2)
> >
Quote Reply
Isn't this a Security Threat?
The *.def files have 666 permission by setup. Now this would mean that a client hosted on the same server as the webmail would just have to do a cat /path_to_def_files and see the database name and password.

Then the same client can connect to Mysql database and play destructively with it wipe off all the tables in a flash.....Correct me if I am wrong.

Isn't this insecure? How to make sure that such a happening is made impossible..... why do the def files and the def directory have to be world readable?

Anup

Last edited by:

anup123: May 3, 2003, 9:40 PM
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Hi Anup,

If your host has suEXEC enabled in Apache, you can chmod the files to 600 (or 660 depending on what group you are in) and it should work. If there is no cgi wrapper, you're pretty much SOL. That's the reason I will not use a virtual hosting provider that wont run suEXEC.

~Charlie
Quote Reply
Re: [Chaz] Isn't this a Security Threat? In reply to
suexec: disabled; invalid wrapper /usr/sbin/suexec

Does it mean that GM is insecure on a non suexec enabled server? So that means that I am walking on a landmine....

Anup
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Contact your host and ask them if there is another wrapper in place. If not, it's pretty insecure. Aren't you on a dedicated server though?

~Charlie
Quote Reply
Re: [Chaz] Isn't this a Security Threat? In reply to
Yes I am on dedicated server. However, on certain directories which are created by default i see the 's' which must be to do with what u r suggesting. the cgi-bin directory for ex has following permission:

drwxrwsr-x

Is this what is needed for the def directory. Everything within data directory is owned by 'nobody'.

drwxr-xr-x 7 scorpioi domain10 4096 Jun 18 2002 .
drwxrwsr-x 13 scorpioi domain10 4096 Mar 7 19:27 ..
-rw-r--r-- 1 nobody domain10 33 Apr 15 2001 .htaccess
drwxr-xr-x 7 nobody domain10 4096 Jun 18 2002 admin
drwxrwxrwx 18 nobody domain10 4096 Jun 18 2002 msgs
drwxrwxrwx 21 nobody domain10 4096 Mar 18 02:03 templates
drwxrwxrwx 2 nobody domain10 4096 May 4 22:50 tmp
drwxrwxrwx 14 nobody domain10 4096 Feb 18 19:03 users

Within admin the permissions are:

drwxr-xr-x 7 nobody domain10 4096 Jun 18 2002 .
drwxr-xr-x 7 scorpioi domain10 4096 Jun 18 2002 ..
drwxr-xr-x 2 nobody domain10 4096 Jun 18 2002 SpellCheck
-rw-r--r-- 1 nobody domain10 53895 Jul 4 2002 checksums
drwxrwxrwx 2 nobody domain10 4096 Apr 27 05:16 defs
drwxr-xr-x 2 nobody domain10 4096 Jun 18 2002 emails
drwxr-xr-x 2 nobody domain10 4096 Jun 18 2002 images
drwxrwxrwx 7 nobody domain10 4096 Jul 4 2002 templates

And within defs all files owned nobody permission 666.

So what next. I am surprised that it's only users helping the users on GM issues. I am shocked at near silence by GT on these things at leat on GM forum.

Anup
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
If your file ownerships and permissions are set properly it shouldn't be an issue. On my dedicated server my username is "pwilson" - I am not able to view any files who don't belong to "pwilson". I will be shown a "Permission Denied" error.
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Quote:
why do the def files and the def directory have to be world readable?

Because your webserver runs either as "apache" or "nobody" and as those users neither fall under your "user" or "group" name then without making it world readable/writable then Links SQL wouldn't be able to write to the defs (unless you had suEXEC installed).
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
Hi Paul,

The permissions were set by "installer" that comes with GM (for that matter with ever GT product).

And on the directories which were required for installation, the permissions were set as per the Installation Messages.

Anup
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Yes those permissions are correct. I'm referring to file ownership (which Links SQL can't touch as it doesn't have root permissions).

File ownerships are handled by the server and server administrator.
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
Quote:
File ownerships are handled by the server and server administrator.

Which files Paul? The 'nobody' ownership is set by installer and not root/admin as far as GM is conecrned (I think I am discussing on GM as I do not yet own LSQL).

I am confused on the whole issue now.

Anup
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Quote:
The 'nobody' ownership is set by installer and not root/admin as far as GM is conecrned

No, they are assigned those permissions by your server. If you install Gossamer Mail via your browser then the script is running as the same user your web server runs at which is normally "nobody" and so when Gossamer Mail extracts all it's files then they become owned by "nobody". If you had installed the script via your SSH account then the files would be owned by your username, as you are logged in as a user via SSH, whereas via the web you are "nobody".

Your users home directory, if given the proper permissions, should not allow anyone access except you, for example, my home directory is:

/home/pwilson

....it's permissions are:

drwxr-x---

That means:

User - read/write/execute
Group - read/execute
Other - none

Hence, if I login as "other_user" and do:

cd /home/pwilson

...then I get

"Permission Denied"
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
But without a cgi wrapper, the files would have to be readable by the user that Apache runs as (nobody). Any user who can program perl can write a simple script to read his dirs/files and get at private info. That's what Anup is concernad about.

~Charlie

Last edited by:

Chaz: May 4, 2003, 11:31 AM
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
You must be on a shared host, not a dedicated server.

Quote:
I am surprised that it's only users helping the users on GM issues. I am shocked at near silence by GT on these things at leat on GM forum.

I pretty much agree with you here. There are a lot of unanswered questions and the GMail forum seems to be somewhat neglected by GT staff. If you have a serious problem, you might be better off using the Support Request Form. You might get a faster response going that route.

Quote:
So what next
Personally, I would ask the host to enable suEXEC or I would start looking for a new host. That just my personal opinion.

~Charlie

[edit]
One thing I forgot to mention is that you have to look at the volume of user for each particular product as well. There are far more users in the Links SQL forum than here in the GMail forum. That greatly increases your chances of getting an answer to you question.
[/edit]

Last edited by:

Chaz: May 4, 2003, 11:35 AM
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
I have 751 as the permission. Do u mean to say that it should be set to 750?



Anup
Quote Reply
Re: [Chaz] Isn't this a Security Threat? In reply to
I am on dedicated server with su access. That's how i was able to post on suEXEC part.

Actually the difficulty is that i cannpot give access to server so even support request form doesn't work.

Anup
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
That's how I have it. 751 means you have it executable" for "other" which is probably not good.
Quote Reply
Re: [Chaz] Isn't this a Security Threat? In reply to
Quote:
But without a cgi wrapper, the files would have to be readable by the user that Apache runs as (nobody). Any user who can program perl can write a simple script to read his dirs/files and get at private info. That's what Anup is concernad about.

No, because you can install Gossamer Mail via ssh as username "joe_bloggs" and all files would then be owned by "joe_bloggs" but the script would still work :)

Last edited by:

Paul: May 4, 2003, 11:58 AM
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Now you're confusing me :) Are you sharing the space with others? If you on your own dedicated server, what does it matter if the permission are set to 666??

Quote:
Actually the difficulty is that i cannpot give access to server so even support request form doesn't work.
Sounds like you're stuck between a rock and a hard spot. If you wont give GT access to the server, how can they help? If GT can't reproduce a problem on their servers/workstations, they can't really guess at a fix.

~Charlie
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
Even though the files are owned by joe_bloggs, when Apache runs webmail.cgi, it executes as nobody. You would have to set the file permission on the def files (and others) so that nobody has access to them, correct?

~Charlie
Quote Reply
Re: [Chaz] Isn't this a Security Threat? In reply to
Yes the space is being shared. that's how i manage to partly cover the expenses and generate some cash to buy something like GM.

Quote:
If you wont give GT access to the server, how can they help? If GT can't reproduce a problem on their servers/workstations, they can't really guess at a fix

Actually i tend to partly agree with you on this. However, such incidences of fixing it live on server does not really get reflected in the latest downloads as I had experience one of the poblems wrt user.pm file being fixed 2 months before i had downloaded my install only to find the same being there.

Alternatively, GT could ask for the components that they suspect to be culprit/ bug infected which can be willingliy sent by users like me. Afterall it ought to be some component(s) which may be responsible....and not the whole program. Sometimes the problem may not be reproduced at their end because they would be ruuning components which aren't packaged in the install (cf user.pm case).

Anup
Quote Reply
Re: [Chaz] Isn't this a Security Threat? In reply to
Quote:
Even though the files are owned by joe_bloggs, when Apache runs webmail.cgi, it executes as nobody. You would have to set the file permission on the def files (and others) so that nobody has access to them, correct?

Yes, Links SQL files are able to be modified by "nobody" but the issue was regarding the security of the def files and so if the users home directory has the correct permissions then a user using ssh cannot gain access to read their files.

This can't be done via the web, firstly due to .htaccess on the admin panel and secondly because the defs directory contains a .htaccess file stopping GET requests.

Last edited by:

Paul: May 4, 2003, 12:33 PM
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
But wouldn't that ctipple GM because of that 'nobody' which is there as a result of installtion been done from web and not shell.

Thnx

Anup
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Quote:
However, such incidences of fixing it live on server does not really get reflected in the latest downloads as I had experience one of the poblems wrt user.pm file being fixed 2 months before i had downloaded my install only to find the same being there.

It's best to get together a decent list of bug fixes before announcing an update.
Quote Reply
Re: [anup123] Isn't this a Security Threat? In reply to
Quote:
But wouldn't that ctipple GM because of that 'nobody' which is there as a result of installtion been done from web and not shell.

No - I installed Gossamer Forum via the web and my home directory is 750, but Gossamer Forum can still read/write the defs.
Quote Reply
Re: [Paul] Isn't this a Security Threat? In reply to
Quote:
From Anup:just have to do a cat /path_to_def_files and see the database name and password.

You are correct in that a user wouldn't be able to access a file from a shell but it won't prevent a hacker from writing a perl script (to rus as nobody from a browser) and getting at the def files.

All in all, the results are the same, security is compromised, the hacker just used a different door to walk through.

~Charlie
> >