Security 101 - Use Minimum Permissions

At Far Edge we've been working with a client who had a compromised website (not because of our software). He'd been blacklisted for sending spam among other things. After our sys-admin guys had tidied up the server itself, I was asked to take a look through the web application source code for security problems.

3 presented themselves.

  1. Insecure 3rd Party Components
  2. Unsanitised User Input
  3. Webserver not Running with Minimal Permissions

#3 - Webserver not Running With Minimal Permissions

At Far Edge, we have a policy of running applications with the minimum permissions they need, and no more. It takes longer to set the site up correctly, takes longer to test it, but it is worth it. Because that problem with the action parameter becomes much harder to exploit when the webserver can't write to the filesystem. This site was not configured with minimal permissions; it could write to any folder it pleased.

Most web applications don't need to write to the filesystem. So don't give them write access. In a unix/linux environment it's this easy:

chown -R developer:www_data /home/www/
chmod -R u+w /home/www/
chmod -R g+r /home/www/
chmod -R g-w /home/www/

In windows, give your IIS worker process read access to just the web site folder and your developers / sys admins write access.

"But!" I hear you cry: "I have to upload images / save log files / write the value of pi to a billion decimal places in some file."

OK. Change one folder to be writable and thats it. For log files, that folder shouldn't be public to the web anyway (perhaps /var/log/www/, or c:\logfiles\ For images or files or values of pi, perhaps you should save them in a database instead. DBMS have pretty good support for binary objects these days, MSSQL can even present them to you as a stream to reduce your memory impact. In any case, you need to validate the uploaded files are legit and not malicious before you do anything with them anyway.

And don't ever execute code from writable folders. Never. Ever. You just never know who's changed that code when you weren't looking. There's a reason why code should be immutable (once generated of course).

The above all applies to your database as well. If you connect to your database as root or dbo, well, an attacker could delete data, insert malicious data or just read all your user details to sell them to the highest bidder.

Security 101 - Unsanitised User Input
Speed test: 2.5" Seagate Momentus XT Hybrid SSD vs...

Related Posts


No comments made yet. Be the first to submit a comment
Mobile Version | Desktop Version