secure webserver and CMS layout
Posted: Tue Jan 23, 2018 5:03 am
Hi,
since Spectre and Meltdown everybody should have understood, thats its important to have a kernel and user space that cannot influence each other and that, as consequence, every CMS and blog software should also carefully separate its files, directories and permissions.
The FAQ for s9y states under https://docs.s9y.org/docs/faq/index.html:
"In usual environments, your FTP user should be within the same group like your webserver user, so that you are able to modify files with the right umask. However, some providers might not think about that and thus deny you access to your own files."
Well, "usual" cannot be more wrong. Its far more secure to have a webserver running under a different user and group than the ftpuser.
Core files, like the blog's programm data, should only belong to the ftpuser, should only be writable by the ftpuser and readable by the webservers user. Only a few files and directories really need to be writable by the webserver itself (like temporary data).
Even if there might be a bug in whatever software package or plugin (might not even be a bug in s9y, but in another software packages residing on the same webserver) or whatever user password got lost, contents or files could only be changed under some places and the core files of s9y could not me modified at all.
In consequence its important the change the directory structure of s9y, rewrite the update mechanisms (by using ftp, sftp or scp to "localhost"), even WordPress understood this years ago.
BTW: its also a security problem, if the config file resides inside the document root.
Good provider have at least one directory accessible for the customer only via (s)ftp that could be read by the webserver locally and is outside the documentroot, so it cannot be accessed at all directly via the web. s9y should at least have the posibilty to store its config file there. Good systems seperate their files even more.
since Spectre and Meltdown everybody should have understood, thats its important to have a kernel and user space that cannot influence each other and that, as consequence, every CMS and blog software should also carefully separate its files, directories and permissions.
The FAQ for s9y states under https://docs.s9y.org/docs/faq/index.html:
"In usual environments, your FTP user should be within the same group like your webserver user, so that you are able to modify files with the right umask. However, some providers might not think about that and thus deny you access to your own files."
Well, "usual" cannot be more wrong. Its far more secure to have a webserver running under a different user and group than the ftpuser.
Core files, like the blog's programm data, should only belong to the ftpuser, should only be writable by the ftpuser and readable by the webservers user. Only a few files and directories really need to be writable by the webserver itself (like temporary data).
Even if there might be a bug in whatever software package or plugin (might not even be a bug in s9y, but in another software packages residing on the same webserver) or whatever user password got lost, contents or files could only be changed under some places and the core files of s9y could not me modified at all.
In consequence its important the change the directory structure of s9y, rewrite the update mechanisms (by using ftp, sftp or scp to "localhost"), even WordPress understood this years ago.
BTW: its also a security problem, if the config file resides inside the document root.
Good provider have at least one directory accessible for the customer only via (s)ftp that could be read by the webserver locally and is outside the documentroot, so it cannot be accessed at all directly via the web. s9y should at least have the posibilty to store its config file there. Good systems seperate their files even more.