Safety in numbers

[bear]

Willing to show my ignorance here.

In an effort to make a new box more secure, one of the recommended steps is to use suPHP so folders don't need dangerous world writable permissions set to be able to write to them. OK, 777 won't let a script run within, though you can still set that permission level. However, a script in a folder with lesser permissions will run, and with suPHP, it can be written into any folder, as long as the script being exploited (let's say WP in this case) can be made to write there. No matter how many places I read up on it, they all claim it's safer, but don't really explain why scripts able to upload and run in any folder is any safer than just on certain folders with world writable access. Kind of counter intuitive.

Can anyone explain the reasons why that's safer?

 

[bear]

Further reading (naturally I find something about this just after posting) suggests it's safer overall, in that a compromised account shouldn't be able to use that to access other accounts on the same server. Not much safer for one, but safer overall for the remaining accounts.
That about right?

 

[cPanelTristan]

If only the user can read, write and execute, while group and other can only read and execute, why wouldn't that be safer? I'm uncertain the upload portion here. Upload wouldn't be anything to do with an existing script unless it was poorly written and allowed injections into the code. Under normal circumstances, the script can be read and executed by group and other but not written to.

As for DSO versus suPHP, since the group for the user is the same as the user rather than nobody, this means that the user's script is more restricted for access.

 

[pla]

Willing to show my ignorance here.


Can anyone explain the reasons why that's safer?

With standard PHP, if you want to upload stuff the group ownership of the directory involved must be apache and the folder must be group writeable. The files created in it will have owner and group as apache, which means the account owner may have problems deleting files if they are in a sub-directory created by a web app. Messy... And any account owner can mess with files created by web apps in somebody else's account provided they can do a little programming and guess which directories are writeable. Even worse is leaving the group the same as the owner and making upload directories world writeable. No ownership problems messing up ftp access but big, big security hole (there's not just the risk of the site being defaced but of people hiding illegal files in a directory you'll rarely look at with ftp).

suphp does for php pretty much what suexec does for perl. It runs php files in the context of the account owner rather than as apache. So if one account gets hijacked the others won't suffer because you don't have to make upload directories wide open.