Security of web app files and database passwords in a linux shared hosting environment

0

I have a web app on a linux shared hosting machine. Lets say I have a .htpasswd file, some configs that store a database password and generally don't want people snooping through my source code looking for vulnerabilities.

The webserver (apache) needs read access (and write in some cases) to the above files. However I don't want other people on the same shared host to have access.

I've never quite understood how this is supposed to work. The question here is similar but seems to point more at stopping the web app from hosting a passwords file accidentally.

AFAIK, all I have to work with is basic linux permissions. On one server, I'm expected to give "others" permissions for apache. Then removing the group permissions, that all other users are in, denies them access. This seems pretty roundabout. On another server there's a nobody group set on public_html with only group permissions set.

One concern is that if the apache user has access to my files, a simple script could be written and executed to gain access by another user:

<?php
header("Content-Type: text/plain");
include $_GET['f'];
?>

TLDR: I need apache to have access to the source files and passwords, but not other users on the same machine (excepting admins ofc).

What is a common setup?

Related questions:

jozxyqk

Posted 2015-05-05T14:04:48.457

Reputation: 1 960

I'm voting to close this question as off-topic because it either belongs on WebApps SE or SuperUser. – RoraΖ – 2015-05-05T15:01:23.780

@raz cheers. I'll repost there. – jozxyqk – 2015-05-05T15:35:18.357

The mods will migrate it for you. – RoraΖ – 2015-05-05T15:36:05.273

@raz ok, I'll wait then. – jozxyqk – 2015-05-05T15:37:13.407

Answers

0

Create a group, add apache/www-data to the group. Then:

chown -R apache:groupname /var/www/mywebapp/ && \ chmod -R 640 /var/www/mywebapp

This will grant the owner read and write (6), and the group read (4) permissions for the folder and all sub-directories and files. The apache user will be able to access the files, as will the owner, but others will not be able to. You should ensure they cannot su to the apache user.

Use Directory blocks in the vhost config to restrict access at the folder level. http://httpd.apache.org/docs/2.0/misc/security_tips.html #See Protect Server Files http://www.anchor.com.au/hosting/dedicated/Security_Hardening_of_an_Apache_Virtual_Host

Alex Atkinson

Posted 2015-05-05T14:04:48.457

Reputation: 2 845

But what happens when they right a short php script which tries to access those files? That'll be running as the apache user and will see everything straight away. – jozxyqk – 2015-05-08T08:50:27.890

I've added links on Directory blocks. Scripts in a customers vhost directory should have no access to other directories on a shared hosting server. – Alex Atkinson – 2015-05-08T15:23:05.997

Thanks. I've had a look through those pages, but I haven't seen (or at least haven't understood) anything specific that would limit user script access to other user's directories. Could you point it out? – jozxyqk – 2015-05-09T16:48:07.847

Make a test vhost and a test user. Apply directory blocks to the vhost configs, and test your scenario. This is the only way you're going to get the practical understanding. You'll get it. – Alex Atkinson – 2015-05-09T17:06:28.957

Asked: 2015-05-05T14:04:48.457

Viewed: 213 times

Active: 2015-05-14T13:30:36.487