Setting a folder as user nobody - good thing or bad thing?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Doctor_Cox
Forum Newbie
Posts: 4
Joined: Sun Oct 08, 2006 3:39 am

Setting a folder as user nobody - good thing or bad thing?

Post by Doctor_Cox »

Greetings all,

I'm trying to create a mysql backup script. The dump has been generated, but now I want to be able to save it to a file to FTP it to another server away from my company's primary one. But because we are running in safe mode, file creation is severly restricted. Reviewing things, the only solution I could come to was to create a folder, assign it to the nobody user, and then use that for writing the files to before FTP'ing them.

Will doing so be a possible security risk?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Since 'nobody' can write files there, you're not sure that the file in that location is really the one your script created (or a modified version placed there by someone else). Why can't you run the script under your user account?
Doctor_Cox
Forum Newbie
Posts: 4
Joined: Sun Oct 08, 2006 3:39 am

Post by Doctor_Cox »

Thanks for your response.

How would I go about runing the script under the user account? Every time I run it it complains about a UID mismatch due to safe mode being on.

Irregardless, I don't think file injection will be a problem but correct me if I'm wrong. I'm not very familiar with Linux, especially security. The script will be a cron job that will create files based on the database table, eg

cart_products.sql
cart_categories.sql

Before uploading them to an FTP account then deleting them. The simple method to guard against someone injecting files will be to check for any files in the folder before beginning the dumping process and deleting any found. Even if someone were able to get a file into this folder, it couldn't do any damage thanks to safe mode, and it wouldn't gain them access to other parts of the system. Correct or not?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Doctor_Cox wrote:Thanks for your response.

How would I go about runing the script under the user account? Every time I run it it complains about a UID mismatch due to safe mode being on.
Use crontab to activate the script...
Doctor_Cox wrote: Before uploading them to an FTP account then deleting them. The simple method to guard against someone injecting files will be to check for any files in the folder before beginning the dumping process and deleting any found.
Here is an obvious example of a scenario where you have a security problem:

generate file
----> malicious replacement of the file
upload file

I wonder why you need to create a temporary file anyway... Just simply pass the output of the dump-generation process to your ftp-client as file input...

Doctor_Cox wrote: Even if someone were able to get a file into this folder, it couldn't do any damage thanks to safe mode, and it wouldn't gain them access to other parts of the system. Correct or not?
The obvious issue is that it would make your backup system completely unreliable... and thus useless.

The solution is flawed by design, so i would most certainly not try to minimalize the risk...
Doctor_Cox
Forum Newbie
Posts: 4
Joined: Sun Oct 08, 2006 3:39 am

Post by Doctor_Cox »

timvw wrote:Just simply pass the output of the dump-generation process to your ftp-client as file input...
How do I do this? I reviewed the PHP FTP commands and nothing caught my attention as being capable of doing this. In fact this was my first port of call as I knew I was likely going to run into safe mode problems.

If I can do it via FTP commands, great, this will be easier to test than running the thing via the crontab.
Here is an obvious example of a scenario where you have a security problem:

generate file
----> malicious replacement of the file
upload file
I'm not arguing with the logic, but how could a hacker actually replace the file? I'm not doubting you, just curious. I want to learn. They'd have to be there at the exact moment of file creation, and know the names of one of the tables, which is what each file will be named in turn before FTP'ing. Theoretically possible? Yes. Practically possible? Doesn't appear so to me.

But FTP is still clearly the safest method, so if you could point me in the right direction I'd appreciate it.
Doctor_Cox
Forum Newbie
Posts: 4
Joined: Sun Oct 08, 2006 3:39 am

Post by Doctor_Cox »

Sorry for the bump but this is pretty important. Anyone else got any ideas?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Code: Select all

<?php
file_put_contents('ftp://user:password@example.com/pub/mysql.dmp', shell_exec('mysqldump -u username -ppassword database'));
?>
(Don't forget that ftp is unsecure by design.. And you might want to consider scp or sftp instead..)
Post Reply