Installation doc and filesystem permissions
39 views
Skip to first unread message
Darren S.
Dec 23, 2015, 6:02:19 PM12/23/15
to misp-...@googlegroups.com
Hi,
I wanted to see if a part of the MISP setup from the latest
installation guide could be optimized/improved or if it is correct
as-is.
https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.ubuntu1404.txt
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following
commands as root:
chown -R www-data:www-data /var/www/MISP
chmod -R 750 /var/www/MISP
chmod -R g+ws /var/www/MISP/app/tmp
chmod -R g+ws /var/www/MISP/app/files
chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
The result of this configuration is that the web server user has
complete ability to create/modify directories and files in the MISP
document root. In most cases, isn't this unnecessary level of access
for the web server user? I'd be concerned about potential software
(LAMP stack) or application (MISP) vulnerabilities exposing the
installation to remote users and giving them the abilities to e.g.
upload webshells or other malicious content. In a shared hosting
arrangement (unlikely but possible in cases where MISP may be a
virtualhost alongside other sites on same host) I think this also
increases the risk.
Would it be better to configure the installation so that files were
owned root:root (or similar, by platform) and group ownership +
group-writeable files/directories were used explicitly for locations
that MISP had to write to? Similarly, sensitive files (configs, etc.)
could be owned root:<webuser> and set not world-readable/writable.
I'm no expert in web hosting security but wanted to explore this, and
changes I suggest do complicate the setup a bit more than it already
is.
Regards,
--
Darren Spruell
phatb...@gmail.com
I wanted to see if a part of the MISP setup from the latest
installation guide could be optimized/improved or if it is correct
as-is.
https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.ubuntu1404.txt
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following
commands as root:
chown -R www-data:www-data /var/www/MISP
chmod -R 750 /var/www/MISP
chmod -R g+ws /var/www/MISP/app/tmp
chmod -R g+ws /var/www/MISP/app/files
chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
The result of this configuration is that the web server user has
complete ability to create/modify directories and files in the MISP
document root. In most cases, isn't this unnecessary level of access
for the web server user? I'd be concerned about potential software
(LAMP stack) or application (MISP) vulnerabilities exposing the
installation to remote users and giving them the abilities to e.g.
upload webshells or other malicious content. In a shared hosting
arrangement (unlikely but possible in cases where MISP may be a
virtualhost alongside other sites on same host) I think this also
increases the risk.
Would it be better to configure the installation so that files were
owned root:root (or similar, by platform) and group ownership +
group-writeable files/directories were used explicitly for locations
that MISP had to write to? Similarly, sensitive files (configs, etc.)
could be owned root:<webuser> and set not world-readable/writable.
I'm no expert in web hosting security but wanted to explore this, and
changes I suggest do complicate the setup a bit more than it already
is.
Regards,
--
Darren Spruell
phatb...@gmail.com
Richard van den Berg
Dec 24, 2015, 2:35:21 AM12/24/15
to Darren S., misp-...@googlegroups.com
The result of this configuration is that the web server user has
complete ability to create/modify directories and files in the MISP
document root. In most cases, isn't this unnecessary level of access
for the web server user?
I totally agree. Check out INSTALL.centos7.txt where I narrowed down which directories need write access. I haven't tested those for 2.4 yet, but it would be great if you could report back your results.
| 5/ Set the permissions | |
| ---------------------- | |
| # Make sure the permissions are set correctly using the following commands as root: | ||||
| chown -R root:apache /var/www/MISP | ||||
| find /var/www/MISP -type d -exec chmod g=rx {} \; | ||||
| chmod -R g+r,o= /var/www/MISP | ||||
| chown apache:apache /var/www/MISP/app/files | ||||
| chown apache:apache /var/www/MISP/app/files/terms | ||||
| chown apache:apache /var/www/MISP/app/files/scripts/tmp | ||||
| chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp | ||||
| chown -R apache:apache /var/www/MISP/app/tmp | ||||
| chown -R apache:apache /var/www/MISP/app/webroot/img/orgs | ||||
chown -R apache:apache /var/www/MISP/app/webroot/img/custom
|
Reply all
Reply to author
Forward
0 new messages