Apache writing within doc root a security issue?

security
permissions

#1

Hello,

I am trying to understand folder permissions for Kirby.

As I understand it apache needs write permissions to, at least the following folders:

  • /site/accounts
  • /thumbs
  • /content + all contained files and folders
  • /assets/avatars

But I have been warned that, although many cms seem to need this, allowing apache to write anywhere in document root is a huge security risk.

For example, according to this (quite old) blog post:

The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine.

Is this actually the case with Kirby , or are there any specific security measures that Kirby uses which solve this possible risk?

Thank you.


Thumb folder permissions
#3

The article you are linking to is right in that you should always be careful about security. Setting just the permissions you need is always the best way (but a bit more time-consuming of course).

There is the following paragraph about CMS (like Kirby):

Certain applications, especially publishing platforms and Content Management Systems that you manage and populate through the web server itself using a browser, require that certain directories on the system be made writable by the web server user. You can do this by changing the owner of the directory to that user (usually www but ymmv), or by making the directory group-writable and changing the group to the group as which Apache runs.

So it’s definitely OK to make folders writable, you just need to be careful.

Please note that most of the directories only need to be writable if you use the Panel. If you edit the files via FTP or use a deployment strategy (use the Panel on a staging site and deploy the changes to production), only the /thumbs directory needs to be writable. And if you don’t use the Kirby thumb methods, even that one doesn’t need to be.

We can’t make guarantees about Kirby’s security, but especially if you don’t use the Panel, there aren’t many possible attack vectors. :slight_smile:


#4

@lukasbestle , thank you for the answer.

After what you quote, the article also says:

Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. Google for ‘r57′ for an example of what such code can do.

If a web app needs writable directories, it’s often better to have those outside the DocumentRoot: that way the uploads can’t be accessed from the outside through a direct URL. Some applications (WordPress for instance) support this, others do not.

I would say he does not affirm that is ok to make folders writable. He says this is a risk, and needs to be done with “care and consideration” but, what does constitute “care and consideration” when dealing with a Kirby installation with panel and everything ? I can either give apache write or not do it, what else?

The author also says that “If a web app needs writable directories, it’s often better to have those outside the DocumentRoot” and mentions that WP allows this. Can this be done with Kirby? Would this be something Kirby would consider relevant to add to project?

I am of course not trying to say Kirby IS unsecure, at all. I am neither an expert at all. But as apache-savvy people has insisted this IS actually a threat, and articles as the one quoted here insist on it aswell, I am trying to understand the risk better and possible workarounds

Thank you!


#5

That’s exactly the problem. If just one directory is writable, there is a possible attack vector if the attacker has a way to write an arbitrary file to the file system. There is no “secure way of making directories writable”.

But for a dynamic site, having write access is just necessary. Disabling it entirely is like pumping the fuel out of your car to prevent it from blowing up. Works fine, but then you can’t drive.

That is indeed already possible with the custom folder setup. Please note that the thumbs directory still needs to be accessible via a URL (otherwise the thumbs can’t be served), but there are ways to disable PHP execution via a .htaccess file in that directory in case an attacker ever finds a way to upload a PHP file to that directory (which is unlikely).

Please keep in mind that there are always people with very strong opinions. Some will tell you that you need to add dozens of protection layers to make your site secure. Some will tell you that it all doesn’t matter. The right way is somewhere in between. :wink:


#6

Thanks @lukasbestle :slight_smile:

I will check out the custom folder setup.