Flat file security

Re: Flat file security

raykyoto@gmail. com wrote:
[color=blue]
> I can do #1 and I was wondering if that is sufficient. As the non-root
> user, I guess I cannot do #2... Can I also move the php scripts that
> write the flat files outside my web directory? Or is that not
> necessary?[/color]

My pick would also be option #1. Moving the php scripts outside the
webdirectory is not only not necessary, but also impossible if you still
want to execute them from the web.
[color=blue]
> 1) directory of the php scripts that writes the flat files
> -rwx---r-x
>
> 2) the php scripts that writes the flat files
> -rwx---r-x
>
> 3) the directory of the flat files
> -rwx---rwx
>
> 4) the flat files themselves
> -rwx---rw-
>
> Is this possible? Can I do better?[/color]

I'm not sure why you leave all the group permissions empty and why other
(world) do get permissions. If the webserver user is the owner of the
flat files directory, you can change that to -rwx------
Same goes for the flat files themselves.
[color=blue]
> I'm also new to php... I've hard-coded the paths to the flat files
> inside my php files, as one must, I guess. Is there a way for people
> to see the source of the php files so that they can extract the hard
> coded paths?[/color]

No, not as long as PHP works on the webserver, because the script gets
interpreted by the webserver and only the output of the scripts is being
sent to the client (webbrowser).

--

Re: Flat file security

raykyoto@gmail. com wrote:
[color=blue]
> Hi all,
>
> I'm sure this is a popular question that comes up every few months
> here. Indeed, I've looked at some of the past postings, but I would
> like to ask things differently.
>
> Basically, I'm using a flat file to storing data. I have to do this
> because mySQL is not installed on my web server, and I am not the root
> user. The amount of data is so small, that it isn't worth a full-blown
> database anyway. However, while the data is nothing valuable
> (generally e-mail addresses), I would like to make it as secure as
> possible. Both from robots and from other users.
>
> I found this useful posting in comp.lang.php (some parts cut) dating
> from 2002:
>
> -----
> 1. Put the file containing userdata _outside_ your webdirectory.
>
> or
>
> 2. Use a robots.txt to tell robots to not read the data.
> Save the file to root on your web as robots.txt, and (as an example)
> with
> the following content:
>
> User-Agent: *
> Disallow: /directory_conta ining_a_lot_of_ email_adresses_ and
> _other_juicy_us er_stuff
>
> or
>
> 3. Wrap the data in an auth of some sort (may be difficult if you use
> that
> data for the auth....;-)
> -----
>
> I can do #1 and I was wondering if that is sufficient.[/color]

No, the only advantage working outside webroot is that a simple request to
the right place will not be answered by the webserver.
But you can also do so by other means.


As the non-root[color=blue]
> user, I guess I cannot do #2...[/color]

Yes you can.
you can place a robots.txt file just as you can place any other text file.


Can I also move the php scripts that[color=blue]
> write the flat files outside my web directory? Or is that not
> necessary?[/color]

Yes, can be done.
Pay attention to permissions however. :-)
If you do not, you can end up with files that are readable to the world,
that is 'everybody' who has access to your system.
When using shared hosting, that is everybody else on the same system.
[color=blue]
>
> Also, as the host is a Unix machine, what permissions are suggested for
> the following? Of course, I only want the web server and me to be able
> to read and write to them. I'm thought about the permissions and have
> inserted them below.
>
> 1) directory of the php scripts that writes the flat files
> -rwx---r-x
>
> 2) the php scripts that writes the flat files
> -rwx---r-x
>
> 3) the directory of the flat files
> -rwx---rwx
>
> 4) the flat files themselves
> -rwx---rw-
>
> Is this possible? Can I do better?[/color]

Yes you can.
Suppose I am on the same machine:
- I can see directory 3)
- I can browse the content of directory 3)
- I can read/modify file in directory 3)

[color=blue]
>
> I'm also new to php... I've hard-coded the paths to the flat files
> inside my php files, as one must, I guess. Is there a way for people
> to see the source of the php files so that they can extract the hard
> coded paths?[/color]

Sometimes.
Your php scripts have permission -rwx---r-x, so if I am on the same machine,
I can possible read your PHP files.

Some time ago I discussed a similar problem with macbri.
Here is a link:


Maybe that helps setting up something a lot more secure.
It involves denying directorylistin gs combined with a very long strange name
for a directory.

I hope it helps.
Good luck.

Regards,
Erwin Moller
[color=blue]
>
> Thank you!
>
> Ray[/color]

Re: Flat file security

Peter van Schie wrote:[color=blue]
> raykyoto@gmail. com wrote:[color=green]
> > I can do #1 and I was wondering if that is sufficient. As the non-root
> > user, I guess I cannot do #2... Can I also move the php scripts that[/color]
> My pick would also be option #1. Moving the php scripts outside the
> webdirectory is not only not necessary, but also impossible if you still
> want to execute them from the web.[/color]

Ah, I see. I didn't know it would not be possible to run php scripts
if they are outside the web directory. Thanks!
[color=blue][color=green]
> > 1) directory of the php scripts that writes the flat files
> > -rwx---r-x
> >
> > 2) the php scripts that writes the flat files
> > -rwx---r-x
> >
> > 3) the directory of the flat files
> > -rwx---rwx
> >
> > 4) the flat files themselves
> > -rwx---rw-[/color]
> I'm not sure why you leave all the group permissions empty and why other
> (world) do get permissions. If the webserver user is the owner of the
> flat files directory, you can change that to -rwx------
> Same goes for the flat files themselves.[/color]

Hmmm...I noticed the files are made by the user www-data. I guess I
didn't know what privileges it had. I enabled the world permissions
for the directories and files for it...

I also tried chown'ing the file so that www-data owns it. I also tried
to create a group so that only I and www-data are in it. Neither seems
to work as I'm not the root user.

But, say I could make files owned by www-data and give it -rwx------.
How could I read them?
[color=blue]
> No, not as long as PHP works on the webserver, because the script gets
> interpreted by the webserver and only the output of the scripts is being
> sent to the client (webbrowser).[/color]

Since php is server-side code, this is what I thought; but I also was
worried that there is some way to get around it. Thanks for confirming
to me that there isn't.

Ray

Re: Flat file security

Hi Erwin,

Erwin Moller wrote:
....[color=blue][color=green]
> > I can do #1 and I was wondering if that is sufficient.[/color]
> No, the only advantage working outside webroot is that a simple request to
> the right place will not be answered by the webserver.
> But you can also do so by other means.[/color]

I am tempted to ask you what you mean by "other means", but on second
thought, the less people who know, the better. Good enough for me to
know that it isn't perfect security.
[color=blue]
> As the non-root[color=green]
> > user, I guess I cannot do #2...[/color]
> Yes you can.
> you can place a robots.txt file just as you can place any other text file.[/color]

Ah! I didn't know that...thank you!
[color=blue]
> Yes, can be done.
> Pay attention to permissions however. :-)
> If you do not, you can end up with files that are readable to the world,
> that is 'everybody' who has access to your system.
> When using shared hosting, that is everybody else on the same system.[/color]

Ah! I see...
[color=blue]
> Yes you can.
> Suppose I am on the same machine:
> - I can see directory 3)
> - I can browse the content of directory 3)
> - I can read/modify file in directory 3)[/color]

I said this in my previous reply, but I guess my main problem is that I
don't understand www-data -- the account which runs the web server and
thus, creates these files.

I tried changing ownership to it and creating a group with only me and
it, but neither worked because I'm not the root user. Perhaps I am
doing something wrong, but I am having problems chown'ing my own
files... Or, maybe the sysadmin has disallowed its use? Likewise for
creating a new group.
[color=blue]
> Some time ago I discussed a similar problem with macbri.
> Here is a link:
> http://groups.google.nl/group/comp.l...398dedf888542a
>
> Maybe that helps setting up something a lot more secure.
> It involves denying directorylistin gs combined with a very long strange name
> for a directory.[/color]

Thanks! I'm going through it now and it looks long and detailed.
Thank you for the original posting...I'll make sure the extensive
typing you did is used at least one more time by me. :)

Ray

Re: Flat file security

On 3 Oct 2005 04:02:57 -0700, "Ray" <raykyoto@gmail .com> wrote:
[color=blue]
>Peter van Schie wrote:[color=green]
>> raykyoto@gmail. com wrote:[color=darkred]
>> > I can do #1 and I was wondering if that is sufficient. As the non-root
>> > user, I guess I cannot do #2... Can I also move the php scripts that[/color]
>> My pick would also be option #1. Moving the php scripts outside the
>> webdirectory is not only not necessary, but also impossible if you still
>> want to execute them from the web.[/color]
>
>Ah, I see. I didn't know it would not be possible to run php scripts
>if they are outside the web directory. Thanks![/color]

Well, actually, you can. There are, of course, multiple ways of doing
so.
[color=blue]
>[color=green][color=darkred]
>> > 1) directory of the php scripts that writes the flat files
>> > -rwx---r-x
>> >
>> > 2) the php scripts that writes the flat files
>> > -rwx---r-x
>> >
>> > 3) the directory of the flat files
>> > -rwx---rwx
>> >
>> > 4) the flat files themselves
>> > -rwx---rw-[/color]
>> I'm not sure why you leave all the group permissions empty and why other
>> (world) do get permissions. If the webserver user is the owner of the
>> flat files directory, you can change that to -rwx------
>> Same goes for the flat files themselves.[/color]
>
>Hmmm...I noticed the files are made by the user www-data. I guess I
>didn't know what privileges it had. I enabled the world permissions
>for the directories and files for it...[/color]

Bad idea.[color=blue]
>
>I also tried chown'ing the file so that www-data owns it. I also tried
>to create a group so that only I and www-data are in it. Neither seems
>to work as I'm not the root user.[/color]

Yep. You need root access to change the owner on a good Unix.[color=blue]
>
>But, say I could make files owned by www-data and give it -rwx------.
>How could I read them?
>[color=green]
>> No, not as long as PHP works on the webserver, because the script gets
>> interpreted by the webserver and only the output of the scripts is being
>> sent to the client (webbrowser).[/color][/color]

Unless, of course, you've got a bug in your php code. Any simple
mistake could lead to opening your source to the world.
[color=blue]
>Since php is server-side code, this is what I thought; but I also was
>worried that there is some way to get around it. Thanks for confirming
>to me that there isn't.
>
>Ray[/color]

--
gburnore@databa six dot com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
DataBasix | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ 3 4 1 4 2 ݳ޳ 6 9 0 6 9 ÝÛ³
Black Helicopter Repair Svcs Division | Official Proof of Purchase
=============== =============== =============== =============== ===============
Want one? GET one! http://signup.databasix.com
=============== =============== =============== =============== ===============

Re: Flat file security

On 3 Oct 2005 04:16:21 -0700, "Ray" <raykyoto@gmail .com> wrote:
[color=blue]
>Hi Erwin,
>
>Erwin Moller wrote:
>...[color=green][color=darkred]
>> > I can do #1 and I was wondering if that is sufficient.[/color]
>> No, the only advantage working outside webroot is that a simple request to
>> the right place will not be answered by the webserver.
>> But you can also do so by other means.[/color]
>
>I am tempted to ask you what you mean by "other means", but on second
>thought, the less people who know, the better. Good enough for me to
>know that it isn't perfect security.[/color]

Security by obscurity isn't a good idea. Ignoring security risks is
worse.


--
gburnore@databa six dot com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
DataBasix | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ 3 4 1 4 2 ݳ޳ 6 9 0 6 9 ÝÛ³
Black Helicopter Repair Svcs Division | Official Proof of Purchase
=============== =============== =============== =============== ===============
Want one? GET one! http://signup.databasix.com
=============== =============== =============== =============== ===============

Re: Flat file security

Ray wrote:

Hi Ray,

[snip]
[color=blue]
> But, say I could make files owned by www-data and give it -rwx------.
> How could I read them?[/color]

You mean how to read the file from PHP? Just use fopen, fread and
fclose. Or even easier: file_get_conten ts.

Peter.
--

Re: Flat file security

Ray wrote:
[color=blue]
> Hi Erwin,
>
> Erwin Moller wrote:
> ...[color=green][color=darkred]
>> > I can do #1 and I was wondering if that is sufficient.[/color]
>> No, the only advantage working outside webroot is that a simple request
>> to the right place will not be answered by the webserver.
>> But you can also do so by other means.[/color]
>
> I am tempted to ask you what you mean by "other means", but on second
> thought, the less people who know, the better. Good enough for me to
> know that it isn't perfect security.[/color]

Hi,

No secret here. :-)
On a *nix filesystem every directory and file has permissions.
If that file is in or outside public_html (or whatever your directory is
called), is of no concern when it comes to the other users of the system.
When you are the only user of the server, you probably don't have to worry
too much, but when you know you are in a shared hosting environment AND you
use rw for the 'world'/thrid argument, alarmbells should ring. :-)

[color=blue]
>[color=green]
>> As the non-root[color=darkred]
>> > user, I guess I cannot do #2...[/color]
>> Yes you can.
>> you can place a robots.txt file just as you can place any other text
>> file.[/color]
>
> Ah! I didn't know that...thank you![/color]

Here is more:


It is actually a very simple straightforward system.
But be aware that robots.txt only works when the spider is friendly and
cares about your suggestions.
The first email-harvester written by Mr. Spam and Mr. Scriptboy would not
even bother to read robots.txt.
So never rely on it when it comes to protecting your data.
It will only work for the Good Guys, like Google.

[color=blue]
>[color=green]
>> Yes, can be done.
>> Pay attention to permissions however. :-)
>> If you do not, you can end up with files that are readable to the world,
>> that is 'everybody' who has access to your system.
>> When using shared hosting, that is everybody else on the same system.[/color]
>
> Ah! I see...
>[color=green]
>> Yes you can.
>> Suppose I am on the same machine:
>> - I can see directory 3)
>> - I can browse the content of directory 3)
>> - I can read/modify file in directory 3)[/color]
>
> I said this in my previous reply, but I guess my main problem is that I
> don't understand www-data -- the account which runs the web server and
> thus, creates these files.[/color]

Well, www-data is just the name of a user.
It is typically the name of a user that runs Apache.
Remember that every process on *nix is owned by a user.
So is PHP. PHP is executed by Apache, so PHP runs as user Apache.
(Things might be more complicated actually, but this is the idea.)

A few years ago www-data had another name: 'Apache' or 'nobody'.
It is just what the serveradmin decided to name it.
I think nowadays www-data is used everywhere.
(When you are unlucky enough to hit a W$ machine, the user will often be
named IUSR_machinenam e. But W$ doesn't have permissions like *nix has.)
[color=blue]
>
> I tried changing ownership to it and creating a group with only me and
> it, but neither worked because I'm not the root user. Perhaps I am
> doing something wrong, but I am having problems chown'ing my own
> files... Or, maybe the sysadmin has disallowed its use? Likewise for
> creating a new group.[/color]

True.
You don't want normal users changing ownership of files, do you?
;-)
That would make hacking/cracking too easy to give any satisfaction. :P

So: chown is a command executed by root.
[color=blue]
>[color=green]
>> Some time ago I discussed a similar problem with macbri.
>> Here is a link:
>>[/color][/color]
http://groups.google.nl/group/comp.l...398dedf888542a[color=blue][color=green]
>>
>> Maybe that helps setting up something a lot more secure.
>> It involves denying directorylistin gs combined with a very long strange
>> name for a directory.[/color]
>
> Thanks! I'm going through it now and it looks long and detailed.
> Thank you for the original posting...I'll make sure the extensive
> typing you did is used at least one more time by me. :)[/color]

Hehe, thanks.
When that trick was first explained to me by a guy, I decided to share it at
least 1 time with somebody else. I did twice now. ;-)

One last tip: Once you set up something you think is reasonable secure, try
to break it yourself by using another account on the same machine, if that
is possible. It is a good way of testing what the rwx means on directories
and such, which is quite confusing the first time you use them (for me).

Good luck.

Regards,
Erwin Moller
[color=blue]
>
> Ray[/color]

Re: Flat file security

Gary L. Burnore wrote:[color=blue]
> On 3 Oct 2005 04:16:21 -0700, "Ray" <raykyoto@gmail .com> wrote:[color=green]
> >I am tempted to ask you what you mean by "other means", but on second
> >thought, the less people who know, the better. Good enough for me to
> >know that it isn't perfect security.[/color]
>
> Security by obscurity isn't a good idea. Ignoring security risks is
> worse.[/color]

Absolutely true...by "good enough for me", I was referring to
preventing my brain from going on overload. :) Ignoring security
risks IS bad, but let me slowly catch up instead of learning all in one
go. Progress at a snail's pace is still progress... :(

Ray

Re: Flat file security

Hi Peter,

Peter van Schie wrote:[color=blue]
> Ray wrote:[color=green]
> > But, say I could make files owned by www-data and give it -rwx------.
> > How could I read them?[/color]
>
> You mean how to read the file from PHP? Just use fopen, fread and
> fclose. Or even easier: file_get_conten ts.[/color]

Ummm, no I don't mean that. I mean if the files are owned by one user
(www-data) how can another user (me in this case: ray) read them?
Wouldn't I'd get into a situation where I have files owned by someone
else sitting in my directory which I cannot read, write, or delete?
Ok...not true...I suppose I could extend what Erwin suggested and
create a php script that does these things which would then be executed
by www-data. But, from the Unix prompt, I can't do anything to them?

Something is wrong with my understanding, right?

Ray

Re: Flat file security

Hi Erwin,

Erwin Moller wrote:[color=blue]
> Here is more:
> http://www.searchengineworld.com/rob...s_tutorial.htm[/color]

Thank you for finding it!
[color=blue]
> It is actually a very simple straightforward system.
> But be aware that robots.txt only works when the spider is friendly and
> cares about your suggestions.[/color]

I see. Well, if the best I can do is add many small locks instead of
one big one, I can settle with that. Thanks for the warning!
[color=blue][color=green]
> > I said this in my previous reply, but I guess my main problem is that I
> > don't understand www-data -- the account which runs the web server and
> > thus, creates these files.[/color]
> Well, www-data is just the name of a user.
> It is typically the name of a user that runs Apache.
> Remember that every process on *nix is owned by a user.[/color]

I see. Perhaps that is what confused me and why I did -------rw- in
the first place (which seems to have caused an uproar in this thread :)
). At first, I thought www-data was some special user...like root.
After playing around a bit and realizing that public web pages have to
have -------r--, I suspected that it is just a normal user.

So, my problem was that I wanted www-data to create files which I can
also read. If I own the files, one solution is to create a group and
add www-data and me to it...but I'm not the sysadmin and I cannot do a
groupadd. If www-data owns the files, then won't I have problems
reading it?
[color=blue]
>From your previous post in August, you suggested creating files owned[/color]
by www-data within my directory. It feels strange to me, but perhaps I
don't understand how permissions cascade. Unix permissions is simple
enough: user, group, other/world...but when you put them within each
other is something that I still don't have a grasp of.
[color=blue]
> True.
> You don't want normal users changing ownership of files, do you?
> ;-)
> That would make hacking/cracking too easy to give any satisfaction. :P
>
> So: chown is a command executed by root.[/color]

Well, before I tried, I thought I would get into the problem of giving
ownership to a file and later, not being able to get it back... But,
when I tried it, I was thinking I won't learn unless I do...I did and
it didn't let me. :)
[color=blue][color=green]
> > Thanks! I'm going through it now and it looks long and detailed.
> > Thank you for the original posting...I'll make sure the extensive
> > typing you did is used at least one more time by me. :)[/color]
> Hehe, thanks.
> When that trick was first explained to me by a guy, I decided to share it at
> least 1 time with somebody else. I did twice now. ;-)[/color]

Well, I'll make sure to pass it on. A "good" chain mail! :)

mySQL is great, but not everyone is a sysadmin and sometimes, you have
to make do with what you have. And, I guess it is overkill for what
I'm doing.
[color=blue]
> One last tip: Once you set up something you think is reasonable secure, try
> to break it yourself by using another account on the same machine, if that
> is possible. It is a good way of testing what the rwx means on directories
> and such, which is quite confusing the first time you use them (for me).[/color]

Well, on that machine, I'm not the sysadmin, so I don't have the
luxury. I am a sysadmin of my machine, but it's behind a firewall.
Nevertheless, I can install a web server and give it a try...the test
won't be as good as the actual test, but maybe good enough.

Thanks for your help!

Ray

Re: Flat file security

Ray wrote:
<snip>[color=blue]
> Something is wrong with my understanding, right?
>
> Ray[/color]

Hi Ray,

Possibly.
But don't worry: Nobody was born with knowledge of unix filepermissions . ;-)

Here are a few links I googled up that seem to make sense:





Jus a friendly word of advise:
I want to encourage you to play around with filepermissions on your OWN
system, where you have root-acces so you can change groups and such.
Just create 2 users: Ray and Erwin.
Open for both a terminal.

Let Ray create a file with certain permissions, check with what permissions
Erwin can read them.
Put Ray and Eriwn in a group, check again. etc.

This is all reasonably straightforward .

Then start playing with right on directories. This is where the fun starts.
:-)
Can Erwin list the content of a directory made by Ray?
Which setteings on the directory make this happen?
When can Erwin create a file in a directory owned by Ray?
When can Erwin delete/modify a file in a directory owned by Ray?
When can Erwin SEE a file in a directory owned by Ray?
Etc.

Really: It is WELL WORTH your time to play around for 1 day or so.
(I wished I did before publishing my first Perl-scripts may years ago. :P)
If you understand how it works, you KNOW what you are doing in your shared
hosting environment where you do not have rootaccess.
You know what www-data can and cannot do.
You know what malicious users on the same machine can do and cannot do.
Be aware that on most shared host environments, everybody can mimic
www-data, just by writing a script in php. That script then runs as
www-data.


Good luck.

Regards,
Erwin Moller

Re: Flat file security

Hi Erwin,

Erwin Moller wrote:[color=blue]
> Ray wrote:
> <snip>[color=green]
> > Something is wrong with my understanding, right?[/color]
> Hi Ray,
>
> Possibly.
> But don't worry: Nobody was born with knowledge of unix filepermissions . ;-)[/color]

haha...funny how some people look like they were born with such
knowledge. ;)
[color=blue]
> Here are a few links I googled up that seem to make sense:[/color]

Thank you for googling! So much out there...hard to find things that
are correct and understandable to someone like me.
[color=blue]
> Jus a friendly word of advise:
> I want to encourage you to play around with filepermissions on your OWN
> system, where you have root-acces so you can change groups and such.[/color]

I will and thank you so much for all your help. I've set up the web
page as per your previous post months ago and I think I can sleep at
night. :) What I've set up isn't perfect perhaps, but it's good and
anything else I've done wrong, I can learn slowly. There is only so
much that can be crammed into my brain at one time. :)

Thanks for your patient explanations. It was very much appreciated!

Ray