Correct web server permissions
Welcome to the this series on how to improve the security of your website.
The first step in harden your setup is to update the software on it. Since this is more or less obvious how to do it, I'll skip it and just assume you do this. You do this, right?
I'll assume you are using a Linux or BSD based system, I haven't used Windows on a server yet, so I can't give you any hints about that.
So, what step is next:
Simple, setting the right permissions of the uploaded files for whatever software you are running.
Sadly some manual contain things like:
- upload you files
- change configs
- set directories to permission 777
This is one of the worst things you can do.
What do those permission mean?
We have to decide if it is a file or a directory. The flags have different meanings.
What all type of files/directories/other things have in common:
a chmod XXX where X are numbers, you set permission for 3 groups:
- The owner of the file/directory/thing (every file has an owner)
- The group id of the file/directory/thing
- All other
So lets assume you upload your file as the user "grumpy". grumpy's group entry is "users".
A ls -l looks like this
-rw-r--r-- 1 grumpy users 0 Mai 8 13:49 afile
drwxr-xr-x 1 grumpy users 0 Mai 8 13:49 adirectory
The first -rw-r--r-- is your permission info, owner "grumpy", group "users", 0 bytes, last modification time and the filename.
This matches with the chmod command by saying the owner is allowed to read and write the file. Other users in the group "users" are allowed to read the file and others are able to read as well.
There are 3 main flags: read, write and execute (and a few more complicated things I'll skip). Depending on the type the execute flags tells if you are allowed to run this as an executable (or script) or in the case of an directory if you can change into it.
To number above is created by adding 4 (read), 2(write) 1(execute). So a 5 means read and execute (the right permission for directories).
So a proper file or directory should like the lines above. -rw-r--r-- (read/write for user), read only for others on files and drwxr-xr-x for directories (read/write/execute for owner, read/execute for others). These should be the default anyway.
So what you do by running chmod 777 is that you allow everyone to write or change the file or in case of directories: to create files in it.
"So what's the issue? This is my server and nobody has a login to do otherwise."
Only partially true. The software that you run will also be able to write to it. That software could be the image gallery you installed, the webcounter (is this still a thing?), the form to email thingy a.s.o.
Normally these run under the web servers user (www, apache, http, depending on the distribution) and they should not be able to write anything outside of a few defined places.
So lets assume your software has a bug and that can be triggered via internet by calling a URL or sending a manipulated HTTP form. If the bugged software can create or overwrite a file on your public facing website, the attacker can control at least a part of your website. If it something where script/php/python/whatever execution is allowed, the attacker could take over your complete website, including the database your app has access to and so on, if combined by another missetup or bug, the attacker can take over the full machine.
Simply by allowing writes to one wrong directory by opening the permission to write.
So what should you do?
Think of giving permission like giving someone your house keys. Be very very strict.
- If possible, configure your system that the web server user is not the same user that uploads files.
- Make sure the web server user is not able to write files except a few places where absolutely necessary.
- Try to place those directories outside the reach where your files are served from, so that they cannot be called or viewed by knowing the URL.
- Configure the server that the uploaded are not allowed to serve files from the directory.
Yes, this might break some self-updating programs. But they should at least be able to notify you that they want to do an update. If they can't do that, consider to drop them and use another software.
The risk of having a program modify itself or other internet reachable files is very high. And there are a lot of programmers out there that create plugins/software that must be called a security nightmare.
Some simply don't care or have no experience. Sometimes it's just a very weird side effect and a very obscure bug. And (as far as I know) every programmer is a human and humans make mistakes.
Next part of the series is about handling user uploads.