apache security |
2008-06-10
|
I had a long discussion today with Arek about file permissions and security. We ended up trying to figure out how the default install of Apache works on Fedora and Debian, and if that is the most secure solution.
So, here's my understanding of the default config on these two distros in a nutshell:
- apache starts as root and then drops to a specific user(httpd on Fedora or www-data on Debian)
- config files are owned root:root with 0644 permissions
- the default config is secure (doesn't contain important secrets
- because of this, it's not a big deal that any user that can log in to the system can read the config files
So, imagine you want to protect part of your site. You add a configuration parameter to specify which htpasswd file to use, and you make this htpasswd file be owned by root:apache and with 0640 permissions. This way, no one else than root and the apache group can read this file. So far, so good - logged on users cannot read the file and run a cracker on it to guess plaintext passwords of all your users.
So, imagine you now want to add LDAP authentication, and you need to put the plaintext password for your LDAP proxy user. The config hints that you should do something special to protect this:
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected
.
I read this as "make sure that your normal users on your machine can't read the file that contains this information". So apache should be able to read it, and (possibly but not necessarily) root, but no one else. So, a logical way for me is to put an include statement in the apache config for a file that is root:apache and 0640, which contains the bind password.
Which got me to thinking - Why is the default apache config not root:apache and 0640 to begin with ?
Arek's reasoning was that it's fine for the default config to be more open, and you should know what you are doing (which implies, changing ownership and permissions if you put this password in the main config file). My argument is that it would be more helpful to have the default setup be locked down more, so that putting this plaintext password in that config - a reasonable thing to do when you want to do some more advanced config - does not suddenly make your setup a lot less secure.
So, I'm sure there is a reason why apache (and other daemons) have their config as root:root and 0644 instead of root:$(daemonuser) and 0640. Anyone care to share their opinion on the subject ?
Perhaps because generally root:root is more restrictive and seen by smaller amount of users (1). If you configure mod_ldap or something similar, you should know what you are doing. The documentation should perhaps contain more than just a hint.
Comment by troll — 2008-06-10 @ 21:53
Because all of the scripts run by Apache (mod_php, mod_perl, CGI, etc.) will run as the Apache user, and hence will have access to any file that Apache has access to. Which would also mean all of the config files, password files, SSL certificates, and so on. Since many servers end up being a shared host where many users can freely upload content to websites — including potentially malicious scripts — you cannot at all trust the Apache user.
The proper fix (IMHO) is to never use things like mod_php or mod_perl, and to always use cgi/fast-cgi with suexec. Even if you make the server config files readable only by root, those shared hosts are totally unsafe since any user can access any other user’s sensitive files (like config files with database passwords) because every user’s scripts runs with the same permissions.
The default Debian/Fedora/etc. setups do not use suexec by default and support the various script language modules, so they instead have to use the root-only config file trick.
Comment by Sean Middleditch — 2008-06-10 @ 22:11
I think you are overgeneralizing *your* usecase.
How is configuring for a special case more helpful to the general population then configuring for the default configuration?
By not making the configuration file world readable you stop every user from checking out what the current configuration is, having to contact a busy and unresponsive sysadmin….
If the default configuration is not the most common one, then the default configuration should change. If the default configuration has a real reason (like passwords being stored in it by default) then it should not be world readable ofcourse.
The Debian Policy Manual has information about how configuration files, permissions, and all this should be handled on a Debian system.
Comment by fatal — 2008-06-10 @ 22:14
Why not just have a secrets.conf file in conf.d/ with 0640 permissions and people can uncomment a line there and put their secret data in if they want to do that?
I find it quite useful to have the web server’s general configuration public (to local users), as it helps track down things like “Ah, that’s why I can’t use .htaccess files in that folder” etc.
Comment by Kieran — 2008-06-11 @ 00:06
And this doesn’t even begin to get into the bind auth issue, which would allow bypassing the problem entirely.
Simply, instead of using any specific BindDN, or an anonymous bind, tranform the input username to a bind DN, and use that with the password to try and authenticate.
Comment by robbat2 — 2008-06-11 @ 01:13
What i don’t understand is why pam_wheel is not default on every system: having www-data hacked is one problem, but if the attacker then becomes root, you can just dump the server. With pam_wheel, only a set of privilege users can change user (using su), so whatever happens, one attacker won’t be able to do more damage.
Comment by Benoît Dejean — 2008-06-11 @ 08:10