[cobalt-security] Cobalt RaQ permission scheme - security? PHP3?

[Matthias Pigulla <mp@xxxxxxxxxxxxx>]

Hi folks,

I have to admit that I'm not that up-to-date with this list's threads, maybe
I'm adressing a well-known issue.

I am very unhappy with the way the Cobalt RaQs (I have a v2 and a v3) use
the Linux permissions scheme.

The fact that the user and group properties are used for the users and sites
requires all files (at least those that have to be served by the Apache) to
be world readable. *sigh*

There are some problems (at least, I consider them to be problems) coming to
my mind, and I would like you to comment on them. If you have any
workarounds, please let us know.

- Any user with shell access on the machine is able to read these world
readable files. This is critical, for it affects all (web) files. All files
can be read by other sites' users.

These files often contain "private" data - code establishing DBMS
connections; input from web forms saved to files. Even if the Apache is
configured not to serve some files, or to authenticate the user by IP
address or whatever, this exploit works, for it has nothing to do with the
web server itself.

- Even if you don't grant shell access to any untrusted users, CGI scripts
can easily be used instead. Also if a suid wrapper is used, the problem
persists. No matter how the script is run, one can still access files
because of the "world" property.

- What about PHP? Do you provide PHP on your RaQs? How do you
configure/build PHP, so that it cannot be used by arbitrary users to read
other users files? I. e., some sUID stuff must be done, right?

Does anyone of you have a solution for that?

Thanks a lot,
Matthias
--

 w e b f a c t o r y   G m b H
   Matthias Pigulla <mp@xxxxxxxxxxxxx> - Geschaeftsfuehrer
   Lessingstr. 60 - D-53113 Bonn - Germany - www.webfactory.de
   Fon +49(0)228-9114455 - Fax +49(0)228-9114499 - ICQ 49185492