Recently it has become an issue that a user on one of our systems needs the ability to have the apache user have read and write capability to their site so that the upload portion of their site works correctly. How would you minimize the risk of somebody malicious going in and submitting a file that ends up being able to delete files in the web directory or worse yet taking over the apache daemon?
The only solution I have been able to come up with is to create a subfolder for the site that apache can read and write to but can only read parent directories. With sanity checks (like file foo.zip
) and file checks being done on the uncompressed uploaded data and then having the file being renamed and meta data being added to the file to track it internally for the site before being moved into a folder that is not writable by apache and only readable.
Or am I just being paranoid?
Your paranoia is valid.
The security issues that come from uploading files in Apache are based on an uploaded .htaccess file that can change permissions or give the user access to the Apache config files.
Much of the prevention for this problem can be solved by first properly securing Apache and its config files. Ensure that Apache runs in an entirely different directory (I use a different hard drive just in case) than public files. Then secure the directory:
If you program using PHP, I would also do some extra checks to make sure that scripts cannot be run from the upload folder. Basically, disable PHP (or other modules) from executing when accessed inside that folder.
There's plenty more resources across Google that I recommend checking out. I hope this helps.
You've not said what OS this is on - which has a lot to do with security. Assuming its linux/BSD/Unix...
You definitely want to keep the writeable location outside of the document root - all access should be mediated by your own code.
You might want to keep it on a separate filesystem mounted with noexec.
Never heard of zip bombs then?