Stop Execution of Dynamic Files with less than X Perms

NC-Designs

Well-Known Member
#1
I have recently experienced a problem after using LiteSpeed for a short while where it allows users to access and execute dynamic files (.php etc) even if the permissions are for example 0700. I need to know how to stop this as some clients customers are exploiting this.

Thanks.
 

NC-Designs

Well-Known Member
#3
please be more specific about the issue, so that we can reproduce it at our lab.
Well I am on a cPanel server using LiteSpeed enterprise 4.0.16

When a customer uploads a file, for example this.php firstly it does not even have to be chown'd to the user to work. So for example, the user can run a file under their directory that has root:root user preferences.

Secondly, I have found that a user can often still execute a php file even when the permissions are set to 0700 (chmod)
 

NiteWave

Administrator
#8
did tests on our lab. in php suExec mode, lsphp5 run as user's username, if the php script is readable by this user, then it'll be executed.

for example,
#ls -l a.php
-rw----r-- 1 root root 61 Aug 9 12:17 a.php
it's owned by root, but readable by other users. so this script can be read by lsphp5 and executed. assume this script is under /home/john/public_html(so lsphp5 running as "john")
 

NC-Designs

Well-Known Member
#9
did tests on our lab. in php suExec mode, lsphp5 run as user's username, if the php script is readable by this user, then it'll be executed.

for example,

it's owned by root, but readable by other users. so this script can be read by lsphp5 and executed. assume this script is under /home/john/public_html(so lsphp5 running as "john")
Okay so is that right that even though suexec is on root files can still be executed?
 

NC-Designs

Well-Known Member
#11
yes, this is the test result.
Okay, but really should that happen? Makes the server a little more vuln as a user could see the contents of a root file should it not be properly secured. They should only be able to execute there own files.

Also, what chmod permissions are there with Litespeed?
 

mistwang

LiteSpeed Staff
#12
as long as the file owned by root is readable by a user, that user can view the content of the file, it is standard Linux/Unix File System permission.
 

NC-Designs

Well-Known Member
#13
as long as the file owned by root is readable by a user, that user can view the content of the file, it is standard Linux/Unix File System permission.
What about when permissions are 700? The remote user can still access and execute the content? That seems a disaster waiting to happen. For example, a user on our cPanel server recently had a cron job that had permissions set to 700. This cron sent out emails to his customers on a daily basis.

Someone got hold of it's location and executed it repeatedly flooding his customers with thousands of emails.
 
#14
What about when permissions are 700? The remote user can still access and execute the content?
can you give more detail about 700, remote user?
for example,
#ls -l a.php
-rwx------ 1 user1 user1 61 Aug 9 12:17 a.php
a.php's permission is 700
however, only user1 can access and execute a.php, but user2 etc can't.
 
#16
Now if someone on the internet requests the test.php even with permissions 700, it still executes.
it may be normal.

assume the url is domain.com/test.php, and php suExec enabled.
and under user "filetest"'s document root: /home/filetest/public_html

when anyone in the internet access domain.com/test.php
lsphp5 will run as user "filetest", pick up test.php and execute it.
this is normal -- "filetest" is the owner of test.php
 

NC-Designs

Well-Known Member
#17
Okay, thanks. Although I think in future updates of LiteSpeed maybe this should be secured? Similar to your static file permission setup you have there should be one for dynamic files. When it is running as 700, only the owner should be able to run it (For example in cronjobs) but not global users simply visiting the site.
 

NC-Designs

Well-Known Member
#18
After looking into this further, LiteSpeed has many differences to Apache with suPHP that I believe Litespeed should adopt. suPHP is known for it's security and so should Litespeed.

Firstly, LiteSpeed should support mod_sec better.
Secondly, the user requesting the file (The one visiting the site) should be nobody completely regardless of whether suExec is enabled or not. The user requesting should be nobody and the owner should be the username. This way, should the user set their file permissions to not be readable by others (For example 700), it cannot be executed. Can the second change at least please be implemented? It reduces the overall security of a shared server by miles.
 
Last edited:
Top