Nidelven IT - All about Python, Zope & Plone - and Open Source!

Here you'll find issues related to our services. Mostly about Python, Zope and Plone, as well as hosting-related issues.

"Keeping IT real"






Older entries



Atom - Subscribe - Categories
Previous | Next

Nidelven IT - Important note about security

Hi,

this is an important message regarding security for our shared server customers (Standard, Plus and Webmaster). If you have a Standard account with only a Zope and/or Plone website where we did the configuration, you can disregard this message.

This message is posted on our hosting weblog

  http://www.nidelven-it.no/weblogs/hosting

and sent out to the registered email addresses on each account. If you receive this message on several different addresses we apologize. If you are not a technical person, please consult with a technical person before responding to this message. As of now, we haven taken many steps to ensure that your data is relatively safe. As mentioned below, an audit where we consult is an option.

We've noticed that some of our customers put what could be sensitive files in their home directories. Files that lie directly in the home directory could by default be readable by others.

For example, after logging in via SSH, and running 'ls -ld .' the following will be seen:

morphex@infernal-love:~$ ls -ld .
drwxr-xr-x 11 morphex morphex 4096 2008-11-14 05:32 .

What is displayed here is a directory (in this case, the home directory of the user morphex). The line drwxr-xr-x means that what is listed is a directory (the d at the start), with the permissions read-write-execute for the owner (rwx), read-execute for the group (r-x) and read-execute for others (r-x).

What this means, is that other users on the same server can list the contents of your home directory. This is the way it has to be, as for example Apache needs read access to the apache directory located in the home directory.

Now, looking further at the contents in the home directory, you could see something like this:

morphex@infernal-love:~$ ls -l
total 44
Permissions User Group Size Date and time Name
drwxr-x--- 4 morphex daemon 4096 2007-01-17 02:44 apache
-rw-r----- 1 morphex morphex 3425 2008-03-06 19:16 apache.conf
drwxr-x--- 2 morphex morphex 4096 2008-03-06 19:13 bin
-rw-r--r-- 1 morphex morphex 16152 2007-08-06 10:54 index.html
drwxr-x--- 2 morphex morphex 4096 2008-03-06 19:16 logs
drwxr-x--- 9 morphex morphex 4096 2007-08-06 10:38 squid
drwxr-x--- 2 morphex morphex 4096 2008-02-11 01:17 tmp
drwxr-x--- 7 morphex morphex 4096 2007-01-17 02:41 zope

This is a example of good security settings; the apache directory is only readable and executable by the owner and the group. The daemon group is what the Apache process runs under, and Apache needs (at least) read and execute access to the apache directory and subdirectories to properly display websites.

Now, take for example the index.html entry. This is a typical example of files that could be readable by others, as it has the "read bit" set for owner, group and others (others being all users). If the index.html file contained sensitive information such as usernames and passwords, it would be possible for any user on the same server to read that information.

To protect a file or directory, use the command 'chmod o-rwx' on a file or directory, such as this:

morphex@infernal-love:~$ ls -l index.html
-rw-r--r-- 1 morphex morphex 16152 2007-08-06 10:54 index.html
morphex@infernal-love:~$ chmod o-rwx index.html
morphex@infernal-love:~$ ls -l index.html
-rw-r----- 1 morphex morphex 16152 2007-08-06 10:54 index.html
morphex@infernal-love:~$

Along the same lines, if you have a directory with sensitive information, it should be protected with the 'chmod o-rwx directory-name' command.

If you noticed that you have some files that could've been compromised (containing usernames and passwords for example) - we recommend setting new usernames and passwords for those logins.

Some of you might be worried that other users have read your data. That's a legitimate concern, but users on these servers are paying customers, for that reason we consider the chance of someone maliciously using this information to be low.

If you have any questions, please refrain from calling - use email instead. It is usually a lot easier to answer questions and give help over email - especially when it comes to technical matters.

Please see this page for more information about file-system permission settings:

http://en.wikipedia.org/wiki/File_system_permissions

We've gone through all the shared servers and changed the permissions (chmod o-rwx) for all files and directories starting with zope (zope*) and the name tmp in users' home directories. We did not chmod permissions for all files, as this could have unpredictable results for users who have a non-standard structure in their home directories. We have a list of the customers where the Zope permissions were wrong, and will get in touch with the affected customers so that (at least) passwords can be reset.

We've also gone over all the servers and changed the permissions for the ~/apache directory (chmod o-rwx) and changed the group to daemon. We urge everyone who makes use of usernames and passwords in the ~/apache directory to change any passwords used in these files.

PS: We consider the shared hosting packages to be relatively secure, but as this example shows, it might be better to run a server instead.

The Managed Server solutions we offer are a good choice if you need the extra security.

PPS: We will audit logs after this notice has been sent out, to see if any users try to access other users' information.

PPPS: If you want us to do a basic audit on your permission settings, we can do so - consulting half an hour in the process (costing roughly 350 NOK / 50 USD / 40 EUR):

http://www.nidelven-it.no/product?path=plone/webshop/service...

With kind regards,

Nidelven IT

[Permalink] [By morphex] [Hosting (Atom feed)] [2008 14 Nov 06:29 GMT+2]

Add comment (text format)

Passphrase

A passphrase is required to comment on this weblog. It is required to make sure that bots aren't doing automatic spamming. It is: nit is the best!.

Title

Name

Email

Comment