Alternative secure chmod for WireDatabaseBackup files

[hettiger]

Short description of the issue

Using $config->chmodFile for .sql files is a bad idea on some shared hosting environments.

Real world example

My Host recommends chmod 640 for .htaccess-, .html-, .txt and image files etc.
Therefore I've set $config->chmodFile = '0640';

When it comes to directories they suggest chmod 710.
Therefore I've set $config->chmodDir = '0710';

Now for PHP scripts (guess that also applies to SQL files) they suggest chmod 600.
Unfortunately I have not found any matching $config property for this case.

Conclusion

I think using chmod 640 for SQL files in this case is insecure and this needs to be fixed.

I'd even say ProcessDatabaseBackups, WireDatabaseBackup and all modules that rely on these must be considered insecure on shared hosting environments.

Solution

Make ProcessDatabaseBackups a ConfigurableModule.

OR

Introduce a new config property $config->chmodSensitiveFile and use this instead.

I think a new config property is better because of 3rd party modules that may rely on WireDatabaseBackup. (It may be helpful in other scenarios as well ...)

ProcessWire version: 3.0.35

[LostKobrakai]

In a shared hosting environment no other user should be able to read your files, no matter which files they are. So if 0640 is enough for your data files it's enough for your sql files.

The reason for your host to suggest php scripts to have a chmod of 0600 is probably, so that the webserver cannot modify those files in case you fucked up and a hacker got access to modify your php files via your website. But for such an attack to be useful the modifiable files need to be executable, which only your php files are. Sql files are essentially as useful to modify as any .txt file with sensitive data in it.

[ryancramerdesign]

Most shared hosts run with Apache running as the user. If instead
Apache/PHP is running as same user for all, there really is no way I know
for certain to protect your files from other users (not even 0600), while
still being read/write to PW, unless the host has implemented some other
kind of protection. Assuming Apache is user, and we don't know what group
is, I probably wouldn't use anything but 0600 for your chmodFile and 0700
for chmodDir. While one could add more chmod config properties, it would
likely be redundant because they'd have the same values.

On Oct 2, 2016 12:06 PM, "Benjamin Milde" notifications@github.com wrote:

In a shared hosting environment no other user should be able to read your
files, no matter which files they are. So if 0640 is enough for your data
files it's enough for your sql files.

The reason for your host to suggest php scripts to have a chmod of 0600 is
probably, so that the webserver cannot modify those files in case you
fucked up and a hacker got access to modify your php files via your
website. But for such an attack to be useful the modifiable files need to
be executable, which only your php files are. Sql files are essentially as
useful to modify as any .txt file with sensitive data in it.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#20 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAUCUGX2anaAMqIlGhOv9IxHCQ_7u5mMks5qv9ZwgaJpZM4KMCTB
.

[hettiger]

@LostKobrakai You seem to be more experienced in the matter of file permissions and shared hosting environment setups than I am. I happily accept that answer feeling a bit more secure now.

Do you think a new config property like $config->chmodSensitiveFile is completely pointless then? (What about module upgrades for example. These will eventually write new PHP files to the system ...)

[hettiger]

@ryancramerdesign Thank you for the detailed explanation Ryan. I think this issue should be closed without further action. Sorry for the mess thought :-/

[ryancramerdesign]

Thanks, but it's not a mess thought at all, it's quite a good one. You are
thinking the right way. I've had similar thoughts many occasions, but
always come back to finding out the permission choices would end up the
same as what would be right for the existing properties. It's always a bit
tough when it comes to shared hosts, security gets a lot more complicated
depending on how things are setup at the host. But if you can stick with
0600 and have it still work for the website, and you can still modify
those same files via ftp, I would stick with that.

On Oct 2, 2016 12:29 PM, "Martin Hettiger" notifications@github.com wrote:

@ryancramerdesign https://github.com/ryancramerdesign Thank you for the
detailed explanation Ryan. I think this issue should be closed without
further action. Sorry for the mess thought :-/

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#20 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAUCUG2yp1tDzlEQ50VMVpULhGQLEHR1ks5qv9v_gaJpZM4KMCTB
.