There’s something that a surprising amount of people overlook, even though it’s a vital part of a system’s security: Permissions! You’d be amazed at how many people are beyond paranoid about being hacked (as they should be) and go about fortifying every part of their system. They update their OS as soon as updates arrive, they monitor their software for updates, they use sophisticated firewalls and antivirus software, they do everything they think possible to turn their system into a fortress of data. Incredibly, however, they overlook the permissions! I had the pleasure of talking to someone not too long ago who had a Joomla CMS running on his server. He wasn’t quite one of the aforementioned paranoid types, but he was mostly sensible and though he’s new to the server side of things he generally runs a tight ship. For those of you unfamiliar with Joomla, it has an FTP layer in which an FTP account can be specified that has read/write access to the Joomla directories. This fellow, instead of creating a new FTP user especially for Joomla that only had access to the Joomla directories, decided he would use his global FTP user for Joomla (i.e. a user that had read/write FTP permissions to the entire server).
I was flabbergasted.
He didn’t get hacked; I gave him a piece of my mind and he saw the error of his ways. This problem, however, is surprisingly common considering how rare it ought to be; when people run into permission issues, half the time they seem to simply give full access to the directory or user and forget about it. Never forget that permissions are up there in terms of the most important security issues! Remember, getting into the machine is only one half the battle. If a hacker is able to compromise an account with no permissions or access to anything, he’s still got a fairly uphill road ahead of him. If there are directories outside of his home directory that are globally accessible, though, well… he suddenly has quite a bit more power. Make sure, whenever you’re doing security audits (I should post a few security tips, actually; perhaps tomorrow’s post!) that anything involving permissions is strict in terms of who it allows and doesn’t allow. Don’t give anyone more power than they need to have, and you’ll be able to rest much easier at night!