1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using Linux groups to improve add-on installer security

Discussion in 'Server Configuration and Hosting' started by ForestForTrees, Nov 27, 2013.

  1. ForestForTrees

    ForestForTrees Well-Known Member


    I would like to use the one of the Add-on Install & Upgrade tools (either the one by @Chris Deeming or the one by @Waindigo), but, wanting to run a secure server, I am concerned about giving write permissions too liberally. Basically, these addons can save you a lot of time but require you to give 777 permissions to most or all of your xenForo folder.

    I had an idea for a workaround that would make me feel considerably more comfortable. I'd love to hear people's thoughts on whether it is feasible.

    The idea is related to an idea put forth by @HittingSmoke :
    Basically, right before you install or upgrade an addon using the tool, you chmod -R 777 XenforoRootDirectory/ and then, after you are done, you chmod -R 755 it again (assuming you are, in general, comfortable with 755).

    My approach is similar but involves less recursive chmodding. Basically, you run the following commands ONCE:
    # creates a new group called addon. Because it is new, no one belongs to it.
    groupadd addon 
    # gives the entire xenForo directory to this empty group
    chgrp -R addon xenForoRootDirectory
    # gives the owning group full permissions
    chmod -R g=rwx xenForoRootDirectory/
    The installer addons do their filesystem writing via your web server (or perhaps a PHP interpreter). Let's call the user that program runs under HTTPD

    Then, when you want to install or upgrade addons you run:
    # adds HTTPD to the empty addon group.
    usermod -a -G addon HTTPD
    This should give the web server write privileges in the xenForo directories.

    When you are done, just remove HTTPD from the addon group. This removes all special permissions.

    I like the idea because not matter what you do, you're pretty much going to have to give write permission to HTTPD. If any of the scripts you run has a security flaw in them, then a hacker would be able to rewrite anything in your xenForo root folder. Maybe I have a stick up my butt, but I would hesitate to give HTTPD those sort of write permissions for years at a time. But for 2 minutes at a time? This feels safer to me. Yes, I know it's not secure. But it seems a lot better than 777. And I can't think of a better way to run these addons, which seem quite helpful.

    I'm posting this here because it seems more likely to get a response from people interested in server configuration. Plus, it seems equally relevant to the two installer addons, so I wouldn't know where to put it anyway.
    Last edited: Nov 27, 2013
    HittingSmoke, Jon W and Chris D like this.
  2. HittingSmoke

    HittingSmoke Active Member

    Wow. I really wish I'd thought of this.

    I'm currently deploying a XF forum to a shared host and was going to write some scripts to deal with permission changes for an addon installer. I think I might have to wrench this method together to fit my needs. At the very least I'll end up with much shorter scripts as I won't have to deal with fixing permissions on upload subdirectories which require write access.

  3. Floren

    Floren Well-Known Member

    You don't need to change the perms, for your httpd user. Just set it properly in config.php and block access to external users by defining the key files for internal use.
    [root@chronos ~]# ls -lah /var/www/xenforo/library/config.php
    -rw-r--r--.  1 root root 737 Aug 25  2012 /var/www/xenforo/library/config.php
    [root@chronos ~]# grep chmod /var/www/xenforo/library/config.php
    $config['chmodWritableValue'] = 0644;
    [root@chronos ~]# ls -lah /var/www/xenforo | grep data
    drwxr-xr-x.  4 php-fpm root 4.0K Feb 21  2011 data
    drwxr-xr-x.  6 php-fpm root 4.0K May 12  2012 internal_data
  4. ForestForTrees

    ForestForTrees Well-Known Member

    Glad to hear you like it, @HittingSmoke, and thanks for your original comment. It helped make things concrete as I was doing the research leading up to this post.

    @Floren, I'm not sure if I'm following what you are saying. I may not have made it clear enough, but my original comment pertained only to security vulnerabilities that could be introduced by permission modifications required by the two Add-On Installer add-ons: Install and Upgrade by Waindigo and Add-on Install & Upgrade by Chris Deeming. Because addons may put files in virtually any file in your XenForo hierarchy, some people may, as part of installing the addon, for example,
    chmod -R 777 /var/www/xenforo/
    My observation was that whatever user PHP runs under (for you it looks like it would be php-fpm, but in general I called it HTTPD) would need write permissions for any file or directory that might need to be written to during an add-on install or upgrade.

    I think that XenForo itself is probably armored pretty well. But suppose a user runs another PHP script that isn't quite as hacker-proof. For example, we used to run a terrific free chat room script called PHPFreeChat. It's probably secure, but how do I know for sure?

    To make things concrete, let's suppose that we run PHPFreeChat, XenForo, and other scripts on a server running Linux, nginx and PHP-FPM (this setups is made up - we run other things) and suppose we had installed Chris Deeming's Add-on Install & Upgrade add-on. I'm not PHP-FPM expert because I don't actually use it, but let's assume that PHP-FPM must run under a specific Linux user account. Let's call that account HTTPD. For Add-on Install & Upgrade to function, HTTPD must have write permission to any file or directory that needs to be written to to install or upgrade an add-on. For simplicity, let's assume that all PHP on the server is run using PHP-FPM.

    Let's suppose that PHPFreeChat has an SQL injection vulnerability or a buffer overflow problem of some sort that allows an attacker to run arbitrary PHP code. Because PHPFreeChat would also run HTTPD, the hacker could inject arbitrary PHP code into any of my XenForo addons via the PHPFreeChat vulnerability. I'm no hacker, but I suspect that this PHP code could do things like:
    • turn off my forum or make themselves admin
    • download or subtly corrupt data such as email addresses
    • upload malware onto my xenforo server and create a post by me urging people to install it and download it
    • add other backdoors into the software
    • download javascript onto my user's browsers for drive-by style exploits
    Now, we're far too small of a site to make this type of hacking worthwhile for anyone, so if another admin isn't concerned about this type of thing, I figure that their server is their castle, and it's none of my business. From my perspective, I don't know if there is a right answer. I just wanted to know what the community has to say about the strategy described in the OP.

    Bottom line: my original post wasn't concerned so much with the security vulnerabilities introduced by the permissions recommendations in the XenForo installation directions. I hope I didn't misinterpret your post.

    Now that you bring it up, is the doomsday scenario I described above unavoidable for any XenForo installation because the Linux user that I have labeled HTTPD must have permissions to write to the data and internal_data folders? A possible key difference is that with the two add-on installer add-ons, HTTPD must be able to write to .php files that actually get executed. I don't see any such files in my data or internal_data folders, which seems like a crucial distinction. I don't know enough about the data and internal_data folders to know if they would be as valuable to an attacker as PHP files would be, but, if they are, then my whole argument would be greatly weakened.

    .... if it's not clear already, I do not in any way claim to be an expert on this, and am posting in hopes of getting feedback from people who know more than I do. If you see a substantive error that I'm making, please let me know.
  5. Floren

    Floren Well-Known Member

    You can use a system user (i.e. httpd, php-fpm in my case) to own recursively the entire /var/www/xenforo directory and still be very secure. The key is to set the /library directory to internal access only. In this way, even if someone find a way to inject things from outside world, they will not be able to execute it. For example, the directory will be set to 0755 and owned by httpd:root and the Waindigo plugin will still work. :)

Share This Page