Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] public_html security

On 14-03-23 10:04 PM, lynn wrote:
On Sun, 2014-03-23 at 21:36 -0400, Ted Byers wrote:
On 14-03-23 09:21 PM, lynn wrote:
On Sun, 2014-03-23 at 21:39 -0300, Cristian Rodríguez wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1
Hi
We've a php script which writes to the users public_html folders, so
wwwrun needs w. I used setfacl to grant the write. The alternative is to
stick it in the db. I'd prefer the former. Any problems with that?
Thanks


what kind of data is it and in what format is stored in the case of
using a database ?


e.g.
php:
shell_exec('sh h.sh');
$list= file_get_contents('s.txt');
echo nl2br($list);

h.sh:
#!/bin/bash
ls -l > s.txt

don't want to do:
...
$query = "INSERT INTO testing (results) VALUES('$list')";
...

Hoping that is not the actual code of the application.. place the
writeable part in a subdirectory in public_html.. not in public_html itself.

Assuming this app can be modified, it is better to store data in a
directory that is not accessible for the public.
Hi
No, I'm not a coder. That's what I did to reproduce the error. I was
told that a script wasn't working which I traced to the wwwrun
permissions.
Then you probably need to consult an experienced coder.
ps: execution of programs using shell_exec or other functions in PHP
apart from being crazy, slow and almost always insecure, unless extreme
care is taken, will probably not work correctly in a number of scenarios
when PHP is running an as apache module, it has been broken for a quite
a while (aprox since 2009) and no one is going to fix it.

Oh. The call to the shell seems to be working ok in 13.1
That can be illusory. Sometimes things seem to work, but then fail in
odd ways when put to the test..

I strongly recommend you to use PHP FPM instead of the apache module.

OK. I'm secretly hoping this doesn't get out beyond the intranet.


Now that is just plain wishful thinking. I suggest you find a security
expert who can audit your LAN. It only takes one ill-written script, or
one mal-configured server, to give a capable hacker full access to
everything on your network. Several of my colleagues have been hit
because of this (and it wasn't even their own code, but rather code
developed by their service provider) and they had to rebuild their
systems (on a different service provider) from backups. There is a
reason why coders get increasingly paranoid as they gain experience and
observe the experience of others. The money spent on a capable security
consultant (in-house or not, actually two rather than one: one focussed
on systems administration and one focussed on secure coding practices)
will save countless headaches and minimize liabilities, down the road.
I am by no means a security expert, but I would not hesitate to reach
out to talk to one or two when I have the need and a budget for it.

Cheers

Ted
Yeah. They do tend to generalise though. We're openSUSE/windows under
AD. In Linux, nobody does Kerberos and in windows, nobody does Linux. I
suppose one option is a contract with Red Hut Pizza or SuSE. This thread
has worked wonders for our security. Thanks.
L x


Yeah. I have seen that too. But, you realize there are two ways to gain access to capable help: 1) hire it from outside, and 2) develop it in house. In this case, you'd need to hire twice as many outside consultants, basically one team for your Windows boxes and another for your OpenSuse boxes. But, what you can do is take one of your brightest, more senior system administrators and send him or her out for security focussed training, once for openSuse and once for Windows, so you end up with an in house expert in both platforms. And then do the same for one of your brightest, more senior developers. And since the security issues the world faces are constantly changing, you'll have to send them for refreshers at least once a year (and their successors once they near the age where they ought to retire). That might seem to be expensive (and it will become expensive to keep such experts after they have that extra training), but to put that cost into perspective, consider the cost of not doing it and the liabilities that entails.

Cheers

Ted
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >