Apache Nobody Security Hole

I think I may have briefly touched on this issue before, but have now found what I was looking for in a brief investigation. One of the things that pushed this investigation was this issue: http://www.webhostingtalk.com/showth...ght=mysql+sock that just affected one of the servers I'm hosted on. Evidentially Apache had removed the required mysql file or more precisely 'nobody' removed the file so no php/mysql page would load and my sites were dead in the water. Fortunately the answer was here on WHT to fix the this issue and my host had given me the necessary rights so I was able to fix the immediate issue and my host followed up on that to secure it.

After some brief testing and some quick code writing following this incident, what I've found is that with 1 line of code, a php script running as nobody can assume whatever rights nobody has so if nobody has rights to remove a file then so can the person running the php script. I was able to create this 1 liner in a matter of seconds. Hosts need to be aware, if not already, that this may be an issue. One possible solution we're testing is chowning some files to root so nobody doesn't have access to change them.

It gets really frustrating when my sites go down because of issues like this so hopefully this fix will be somewhat permanent and we don't have to go through it again.

We already have SUEXEC installed which seems to work ok but I hate to have to recommend PHPEXEC when it seems to have some incompatibilities.

 

 

 

 

Top