Skip to first unread message
Kevin Bowrin
Jul 27, 2022, 3:25:54 PM7/27/22
to AtoM Users
Hello all,
With a default install of AtoM 2.6.4, the qubit view and i18n caches at cache/qubit/{cli,prod,worker}/{config,template} use very insecure permissions. They seem to be writeable and readable by all users.
Is there any way to tighten those permissions? Maybe an option in factories.yml?
Thanks,
Kevin Bowrin
Carleton University Library
Steve Breker
Aug 3, 2022, 3:06:00 PM8/3/22
to AtoM Users
Hi Kevin
These appear to be automated attempts at testing for sql injection vulnerabilities. It is pretty common for a public website to see this kind of probing, but as you've noticed these do generate 500 errors in AtoM and record an empty stub file in AtoM's cache folder with a .php extension. There is no real content in these cache files, just some cache code added by the Symfony framework on which AtoM is based.
It is unfortunate that these return a 500 error and create a cache file, but this does not look inherently risky. Based on the recommended Nginx rules, a user cannot directly request php, yml and ini files from the atom folder or subdirectories. (https://www.accesstomemory.org/en/docs/2.6/admin-manual/installation/linux/ubuntu-bionic/#nginx). Changes would need to be made to the AtoM codebase to alter this behaviour.
Running `php symfony cache:clear` will clear these files, but at the expense of clearing the entire cache.
Regarding your second question about access permissions on the cache folder, Nginx should be configured to prevent direct requests to these folders (see link above). The AtoM user and group (usually 'www-data:www-data') should have 'rwxrwx' access to the cache folder. It is possible to restrict access to 'others'. (See: https://www.accesstomemory.org/en/docs/2.6/admin-manual/installation/linux/ubuntu-bionic/#filesystem-permissions). This will have the side effect that admins will not be able to directly view this folder without upgrading their permissions. The example in this link removes permission for 'others' for the entire atom directory, not just atom/cache which is also possible.
Let me know if I can answer any further questions regarding this.
Steve
Kevin Bowrin
Aug 3, 2022, 3:25:10 PM8/3/22
to ica-ato...@googlegroups.com
Thanks for the response Steve, appreciate the extra information. I'll sleep better tonight 😄. We're already using the recommended nginx config, and I've locked down the cache directory permissions as you suggested.
--
You received this message because you are subscribed to a topic in the Google Groups "AtoM Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ica-atom-users/IPxi89Diz0w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/7afa3ae6-f1d6-4749-9c58-df91f13b3629n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages