Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I do not believe my scripts should execute when I call them from the browser if apache's www-data does not have permission..
1. The scripts are php
2. Owner is root
3. Owner is the only one with write + execute permissions
4. the scripts still run when called from a browser outside
the local network.
5. Standard apache2 and php install on debian wheezy
Is it possible that apache is starting under the root user account?
To diagnose such a situation, where so I start? Can I monitor what user accesses a file? what tools can help me trouble shoot.
Is it at all possible that apache opens the file reads and parses it ignoring the execute permissions? Seeing as a php file can make changes to it's neighbors I do not feel secure with this even though it does not have permission to make changes. To disable a script in a web accessable directory would it be appropriate to deny read permissions.
Thank you, after all consideration I do feel secure with this.
I however did consider the possibilty of signing all my php scripts and implimenting a way in apache to verify this signature so if by chance a rogue script finds it's way into my webdirectory my file verification module would also have to be compromised to allow it to be parsed. Thats all, this solves my paranoi --
I like that idea, I would like to add: One could give www-data quota restrictions in case some corruption some how happens on the loopmounted image you have enough space to recover.
Is it some how possible instead of having to remount every time you make changes , and instead mount the image twice where: one is mounted in a seperate system with write permissions, I do not think it would cause any race conditions or access issues as one is read only. I would be willing to guess that errors on mounting an image twice would emerge in the process, if one mount is read only though I would erge that they only be warnings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
