Re: [cobalt-users] Severe Security Problem Between Sites

["Robert G. Fisher" <rfisher@xxxxxxxxxxxxxxx>]

On Tue, Mar 28, 2000 at 03:23:14PM +0000, michael@xxxxxxxxxx wrote:
> Robert, thank you for your answer, but I was probably very 
> misunderstanding in my intention. I did not make the setup which I was 
> describing, it is the default setup of my Cobalt RaQ3! I just showed up 

Ahh -- I only have the RaQ and RaQ2...Kinda glad, for me, the
shared administration and pretty pictures is what management
likes, all I care about is letting users take care of their
own accounts...

> Neither does it belong httpd nor is httpd in the group "home", thus httpd 
> can only access it if the file has world-read-rights. 

Unless Cobalt was banking on everyone uploading via FrontPage which
uses HTTP's post method to upload your files as the web server
user thus -- httpd ownership.

> In this case the sloppy programming/configuration is within the Cobalt 
> setup! All PHP programms in the default config need world-write-rights to 
> data-files. The reason is the same as depicted with the myfile.html 
> above.

Alas...all I can say is...Wow...big surprise</sarcasm>

> It was just a guess, but here you are right, at least for the mail files 
> the Cobalt config does not screw up.

Actually, procmail would have complained very loudly to you if these
had not been set in this manner...I think procmail will even reset
the permissions (assuming proper ownership is held).

> I agree, but I don't know any other way. How do you add your passwords 
> for MySQL databases in PHP skripts?

Don't really use PHP much so not sure how to set that up, though I
would suspect http://www.mysql.org has some documentation on this
I would hope?  Honestly, for the db work I'm doing now, it's usually
with MS Access tables, a dash of Paradox and the rest is on SQL Server 7
and PostgreSQL.

> > What Cobalt does on the RaQ2 is it basically has all the files
> > under the web and log directories owned by the httpd account.
> > Then on top of this, the access permissions are set with
> >       -rw(x)rw(x)r-- for files (x) for directories.
> 
> And exactyl this last r is bothering me! For PHP via module that means 
> that data-files have to have world-write-rights too ? at least in the 
> default config. We will change that to PHP via CGIwrap. But the point is: 
> why is the default config so insecure?

So your suggestion is to have the Handler go through cgiwrap rather
than mod_php directly?  Odd Cobalt didn't do this since this is their
default with CGI.

> The documentations sais, it does ? but only for CGI scripts. I really 
> think this is an awful bug in Apache or probably the PHP module for 
> Apache. It should seteuid for such things too. Same btw for the Perl 
> module.

Hmm -- well for a long time, you had to use cgiwrap to do that, and
cgiwrap allows for a finer tuning of control.  You currently have
to trade these advantages off if you want to say run mod_perl for
your CGI scripts.  It would be nice to have mod_phpwrap and mod_perlwrap
though.

> But I can't add a catch-all address via the admin UI. Actually, and that 
> was my point, that should be done be the admin UI automatically!

Something that could easily have gone into Site Management page,
I'm in agreement here.

> I did not say they should add a default password. I just mentioned they 
> should address this topic at least in the manual or even better: let the 
> password set by the admin in the first setup process so that there is no 
> way around to forget. 

Not a bad though..

> Got what I mean?

Umm...Don't fear the penguin?  ;-)

-- 
Robert G. Fisher		     NEOCOM Microspecialists Inc. 
System Administrator/Programmer      (540) 666-9533 x 116