User directory security

From: JK (jk6ft2-forum_at_yahoo.com)
Date: 06/11/04 

Date: Fri, 11 Jun 2004 15:29:15 +0800

There is a security issue between Unix system and Apache web server.

We have many users in our Unix system, i.e. user1, user2 with home directory
/home/user1, /home/user2.
An apache server (running as 'nobody') provides user directories, i.e.
http://mydomain.com/~user1 and http://mydomain.com/~user2

user1 has a php file under /home/user1/public_html/secret.php with
permission (+acl), i.e. http://mydomain.com/~user1/secret.php

# file: secret.php
# owner: cstest
# group: misc
user::rwx
user:nobody:r-x #effective:r--
group::--- #effective:---
mask:r--
other:---

With the acl control, only 'nobody' (i.e. the web server ) have permission
to read this file.
NO other users can logon the workstation, 'cd' to the directory and see the
source of this file.

However, user2 can easily get the source code (secret.php from user1) with
the following code,
not just the web/php output

<?php
@readfile("../../user1/public_html/secret.php");
?>

This is because the web server also run this code in 'nobody'. 'nobody' can
steal the source code !

Is there any solution to protect this issue ?
any comment ? Thanks.

Quantcast