Stop Execution of Dynamic Files with less than X Perms

Discussion in 'General' started by NC-Designs, Aug 8, 2010.

  1. NC-Designs

    NC-Designs New Member

    I have recently experienced a problem after using LiteSpeed for a short while where it allows users to access and execute dynamic files (.php etc) even if the permissions are for example 0700. I need to know how to stop this as some clients customers are exploiting this.

    Thanks.
  2. NiteWave

    NiteWave Administrator

    please be more specific about the issue, so that we can reproduce it at our lab.
  3. NC-Designs

    NC-Designs New Member

    Well I am on a cPanel server using LiteSpeed enterprise 4.0.16

    When a customer uploads a file, for example this.php firstly it does not even have to be chown'd to the user to work. So for example, the user can run a file under their directory that has root:root user preferences.

    Secondly, I have found that a user can often still execute a php file even when the permissions are set to 0700 (chmod)
  4. NiteWave

    NiteWave Administrator

    php suExec enabled?
  5. NC-Designs

    NC-Designs New Member

    Yeah suExec is on 'User's Home Directory Only' with MaxConn of 10
  6. NiteWave

    NiteWave Administrator

    how about just selecting "Yes"
  7. NC-Designs

    NC-Designs New Member

    Does the same in this case.
  8. NiteWave

    NiteWave Administrator

    did tests on our lab. in php suExec mode, lsphp5 run as user's username, if the php script is readable by this user, then it'll be executed.

    for example,
    it's owned by root, but readable by other users. so this script can be read by lsphp5 and executed. assume this script is under /home/john/public_html(so lsphp5 running as "john")
  9. NC-Designs

    NC-Designs New Member

    Okay so is that right that even though suexec is on root files can still be executed?
  10. NiteWave

    NiteWave Administrator

    yes, this is the test result.
  11. NC-Designs

    NC-Designs New Member

    Okay, but really should that happen? Makes the server a little more vuln as a user could see the contents of a root file should it not be properly secured. They should only be able to execute there own files.

    Also, what chmod permissions are there with Litespeed?
  12. mistwang

    mistwang LiteSpeed Staff

    as long as the file owned by root is readable by a user, that user can view the content of the file, it is standard Linux/Unix File System permission.
  13. NC-Designs

    NC-Designs New Member

    What about when permissions are 700? The remote user can still access and execute the content? That seems a disaster waiting to happen. For example, a user on our cPanel server recently had a cron job that had permissions set to 700. This cron sent out emails to his customers on a daily basis.

    Someone got hold of it's location and executed it repeatedly flooding his customers with thousands of emails.
  14. NiteWave

    NiteWave Administrator

    can you give more detail about 700, remote user?
    for example,
    a.php's permission is 700
    however, only user1 can access and execute a.php, but user2 etc can't.
  15. NC-Designs

    NC-Designs New Member

    Is what it returned. Now if someone on the internet requests the test.php even with permissions 700, it still executes.
  16. NiteWave

    NiteWave Administrator

    it may be normal.

    assume the url is domain.com/test.php, and php suExec enabled.
    and under user "filetest"'s document root: /home/filetest/public_html

    when anyone in the internet access domain.com/test.php
    lsphp5 will run as user "filetest", pick up test.php and execute it.
    this is normal -- "filetest" is the owner of test.php
  17. NC-Designs

    NC-Designs New Member

    Okay, thanks. Although I think in future updates of LiteSpeed maybe this should be secured? Similar to your static file permission setup you have there should be one for dynamic files. When it is running as 700, only the owner should be able to run it (For example in cronjobs) but not global users simply visiting the site.
  18. NC-Designs

    NC-Designs New Member

    After looking into this further, LiteSpeed has many differences to Apache with suPHP that I believe Litespeed should adopt. suPHP is known for it's security and so should Litespeed.

    Firstly, LiteSpeed should support mod_sec better.
    Secondly, the user requesting the file (The one visiting the site) should be nobody completely regardless of whether suExec is enabled or not. The user requesting should be nobody and the owner should be the username. This way, should the user set their file permissions to not be readable by others (For example 700), it cannot be executed. Can the second change at least please be implemented? It reduces the overall security of a shared server by miles.
    Last edited: Aug 29, 2010

Share This Page