Forum OpenACS Q&A: Installation documentation and file permissions

After a long time of not touching Openacs-4, I just installed it and have some comments on file permissions. Overall, the documentation is good to read, I like it.

I added a comment on the AOLServer install page, but I guess that more people will see it when I also post it here (this version is longer):

Call me paranoid, but we should not encourage users to install the aolserver binaries writable/owned by the aolserver/nsadmin user. If at all possible, install as another user (root) and then make sure aolserver can read and write to the files it needs to. For example, it does not even need read permissions on the initial tcl file /home/aolserver/<service_name>.tcl, as this could possibly expose your database password to the someone who breaks into your server.

The problem is that to start the server listening on port 80, you need to start it as root. Aolserver will then read the config and drop priviliges ASAP. If aolserver can write to it's own binary, it can also replace it. I.e. anyone who hacks aolserver /or/ one of the OpenACS pages can have root priviliges next time you restart aolserver. As soon as you someone exploits a page, they can also stop the server process, triggering immediate restart in most cases. No local root exploit needed. Not good. Especially because you only need to move the nsd binary to someplace and then install a simple shell script that does the nasty stuff (and moves back the nsd binary).

I can probably point out dozens of input validation problems in vanilla 3.2.5, making this a real threat for that at least. I have as yet no idea how many of those exist in 4.5 - but you need only one to get root on a machine.

The general rule is: if root executes it, root MUST own and be the only one who can write to it. The directory permissions are also important as anyone with write permission can normally delete any file in that directory, even those owned by other users.

Pascal, thx for the useful post. Can you point out a few of the input validation problems in 3.2.5 you have in mind?
No I won't. First people need to fix their file permissions and then we will search for input validations and create a fixes.

The ones I know of aren't very trivial to exploit, you need to know Tcl pretty well and be cunning about it too. It's actually not really bad, as long as the file perms are okay.

Right; good strategy. I'm glad you raised this topic, since it's something that I've been worrying about lately.
Posted by Chris Johnson on

New aolserver 4.0 gentoo packages available

I appreciated this discussion of security; I used it in crafting my aolserver-4.0 gentoo installation package.

See this thread.