Re: Writing Cached Files || Permissions and Security Holes...

Hey All.

I use a file caching system for many of the sites I host. I was chmod 777’ing /mycachedir/, but a hacker got through that security hole and wreaked havoc on one site.

Reading through some posts on the web re: this issue, it seems like there are 2 options:

  1. chmod 777 your cache directory, but add the following .htaccess file to your cache dir (or .conf file with a directory deny for /yourcachedir/):

Options -Indexes
<Files *>
order deny,allow
deny from all
</Files>

  1. change ownership from siteworx user to apache user for /yourcachedir/

e.g. chown apache:apache yourcachedir.

testing the change ownership option, it seems to work quite well (i.e. I am able to write cached files and read them via web browser), and perms are 744 for the cache dir, so I would assume that security-wise this does the trick?

I think that since PHP runs under Apache as the apache user, you have to chmod 777 any directory you want to write to, as Siteworx account dirs and files ownership is based on the domain name of the site (e.g. mydomainuser; not apache).

So, if option 2 is a “solid” security option, I’d like to chown all the cache dirs for all of my sites. Anyone know how to pull that off with a simple shell script? I know how to create a list of users and loop through it in a shell script, but how to do I get the domain portion in the following:

LIST=“site1 site2”

for d in $LIST; do
chown apache:apache /home/$d/DOMAIN/html/mycachedir
done

Thanks for any and all feedback!

Without reading too much detail of your post, have you considered running PHP as the user, through suPHP?

There are some great tutorials on here, from Pascal, with instructions on how you can do it. Pascal’s links for the SRPMS seem to be down at the moment (and have been for a while) but I have a copy of them on one of our boxes, so I can put them up somewhere for people to download if necessary.

Cheers.

Yes, E-Web, I did see Pascal’s post on suPHP – I may go for that option, not sure yet.

Probably easiest for me just to chown applicable cache dirs to apache and be done with it – I have some concerns, probably unfounded, about switching to suPHP with my PHP 5 install on a production server.

In any case, I’m just trying to get feedback over pros and cons of various approaches to the issue of file caching and the siteworx user vs. apache/php user dillema – really surprised there isn’t more on the net re: this subject. Aren’t tons of coders using file caching on their boxes?