You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Joel Palmius <jo...@mh.se> on 2002/08/01 09:32:32 UTC

Local file security (in 1.27)

I'm developing an online survey system under mod_perl (with a homemade
perlhandler, not under Apache::Registry). Since I've had as a goal to 
avoid as many dependencies as possible, I store results in local plaintext
files. By nature, these files has (?) to be writable by the uid apache
runs as.

In the mod_perl documentation it is written: 

> When a handler needs write permissions, make sure that only the user, 
> the server is running under, has write permissions to the files. 
> Sometimes you need group write permissions, but be very careful, because 
> a buggy or malicious code run in the server may destroy files writable 
> by the server

My files fit this description (the files are chmodded 600). However, as 
the system is intended for academic use, and it is not entirely uncommon 
to have one student web server for everything, I cannot force admins not 
to install (as an example) PHP with default options and allowing the 
students to write PHP scripts.  

In PHP, to completely remove all my stored data with one line of code:

  <? passthru("rm -rf /usr/local/mod_survey/data/*") ?>

Now, this is obviously a flaw with (in descending order) PHP for not 
having an installation with a secure default configuration, and with the 
admins for giving untrusted users access to an inherently insecure 
scripting language. However, the problem ends up being mine as I have to 
handle it somehow. 

So, question is: How do I protect my data files from being accessed by 
anything else than my own perlhandler? Can I set another uid for all that 
has to do with my specific perlhandler? Hints are most welcome. 

  // Joel

Re: Local file security (in 1.27)

Posted by Stas Bekman <st...@stason.org>.

[...]
> So, question is: How do I protect my data files from being accessed by 
> anything else than my own perlhandler? Can I set another uid for all that 
> has to do with my specific perlhandler? Hints are most welcome. 

You can't. The only solution is run a dedicated server for each user.
Currently the pure Apache solution is to use suexec, which you cannot 
run under mod_perl. This is all covered at:
http://perl.apache.org/docs/general/multiuser/multiuser.html

this issue will be addressed in 2.0 with perchild Apache mpm which 
allows you to run different groups of servers/threads under different 
uids/gids. If I remember correctly this mpm is highly experimental at 
this point.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: Local file security (in 1.27)

Posted by Kari Nurmela <ka...@utu.fi>.

>
>
>So, question is: How do I protect my data files from being accessed by 
>anything else than my own perlhandler? Can I set another uid for all that 
>has to do with my specific perlhandler? Hints are most welcome. 
>
>  // Joel
>  
>
Maybe you are facing the same problem, that I asked earlier in this 
list? Question: http://groups.yahoo.com/group/modperl/message/43025

The only solution I came with was to patch mod_perl.c and mod_perl.h 
with settings that disable handlers except from httpd.conf. At least I 
think these attached patches should do the trick... ;-)

Best wishes, Kari