Question : Perl + Unix: File upload security best practices

Hi Everyone,

I'm a veteran Perl programmer, but fairly new to Unix security. I have been using the CGI module for a long time to handle uploads, but haven't really paid much attention to the security issues.. until now.

This question deals specifically with Unix, users, groups, file permissions and directory locations. I have no problem making uploads work just fine, but I'm wondering what the best practices are.

Here is my specific question:

- I am not a privileged user on this Linux system
- My Perl scripts all run under user 'apache' and is a member of group 'apache'
- Any directories or files I create myself are created with owner 'tom' and group 'dev'
- I do not have permissions to chown or chgrp
- I always upload to a directory I have created called 'uploads'
- Uploads fail unless 'uploads' directory is chmodded to 777 <-- SECURITY RISK

Since I cannot 'chown dev uploads' which would at least allow me to 'chmod 774 uploads' what else can I do?

Thanks for your helpful advice in advance,

Tom

Answer : Perl + Unix: File upload security best practices

In the case you are right now, I would do these recommendations:
- Create a separate file system without the executable attribute. /tmp/yourfolder could be enough. This will take care of the fact you need to have uploads limited, so a separate /tmp filesystem is the best thing to do with a linux in production. if you do not have that, you can ask root to create a file and mount it as a separate filesystem, with the noexec option. that will work just as well.
  In this case, if the mount point is owned by root and the group 'apache', you need to set these permissions at mount time: 2775 for the files, and assure files are at 664 with apache:apache as the owner:group.

- Ask root to create a crontab taking these files from the temporary folder and apache:apache permissions, to the final directory with the correct permissions and ownership. say wwwdata:wwwgroup and permissions 664 for files and 775 for directories. That will be enough for apache to access but without write permissions.

- Never. Never left the files in your web server owned by the same user that is running apache. that's why I recommend to create something like wwwdata:wwwgroup

Hope this help you. I have this kind of setup running at very high traffic and very sensitive web sites without problems.