Securing directories and sensitve files


#1

I’m new to DreamHost, having just switched over from 1&1. I don’t understand how DreamHost sets up security, so I have a couple of questions on UNIX permissions and DreamHost’s setup.

My home directory has permissions of 751. I am not comfortable with world access, but it seems that if I set the permissions to 750, then apache can’t access my web directories (I get a 403 Forbidden error). I reset the permissions back to 751, but my worry is that anyone who has a shell access to that server can get to any files in my web directory. Obviously, setting up a .htaccess file isn’t going to stop someone from cd’ing into the directory and catting out the files. I know that the lack of read access on the directory prevents them from seeing what’s in my home directory, but if they can guess the path to the web root (and the default value is pretty obvious) then they can just cd into there and start looking around.

I had seen some postings that said that the server was running with uid change, but that doesn’t seem to be happening in this case. Do I need to configure something special on the control panel? How do others handle securing sensitive files (such as php includes that contain database connection strings)?

Thanks


#2

It looks like the server is configured to prevent using chgrp to change the group of a file to one that isn’t in my groups list. So I can’t try changing the directory group to apache’s and chmod’ing it to 750.


#3

Don’t forget that Dreamhost runs CGi processes as your user via suEXEC as opposed to Apache. :wink:

–rlparker


#4

I’d seen a posting on that but didn’t understand what it meant. If use .cgi or .fcgi, Apache will run with the webuser’s id. Does that apply to mod_php as well?

If so, then it sounds like I have to leave my directory permissions at 751 (or 755) so that Apache can get in. Or do I? If Apache knows that it’s a CGI file, it should do the suEXEC prior to reading the file. I think that I can test that.


#5

No. mod_php will run as the Apache user (in this case, at dreamhost, they use the user dhapache).

PHP as CGI, which is the default on Dreamhost, also runs under suexec; you may or may not be able to actually even run mod_php, depending upon which server you are on and how it is configured. There are prior threads in the forum discussing that.

I’ve always left my directory permissions at 755.

–rlparker


#6

Hmmm. The suEXEC seems to happen just before Apache reads the CGI or .php file. The directory permissions have to be open to the world but the file permissions can be 600. And it looks like if it’s a .php file, then anything that file includes or open can be 600 as well, and sub directories can be 700.

Thanks for the hint!


#7

You are welcome. Have you checked out the Dreamhost Wiki Unix File Permissions Cookbook? While you probably already know all this stuff, sometimes the “cookbook” approach and the explanatory text is helpful.

–rlparker


#8

I hadn’t seen that. What I really needed was to be knocked on the head and told that php was running as a CGI, not as mod_php. Everything fell into place after that. I hope that everything turns out to be this easy to fix. Thanks again for your help!


#9

I think (hope!) that you will be very pleased as you dig around the Dreamhost environment, and see how they do things. They have put a lot of thought into the design and implementation of their shared server offerings, and have come up with an extremely powerful and flexible environment for an amazing price.

That’s not to say that there are not some limitations to what you can do here, but those limitations are, IMHO, relatively few and extremely reasonable for shared servers; you certainly have a lot more power (and security/safety) in this environment than you have on other hosts I’ve used.

At any rate, welcome to Dreamhost and you are more than welcome to the help, though I didn’t do much :wink: .

–rlparker