Wednesday, October 9, 2019

Why require escalated permissions?

Moving stuff to my server and find it pretty strange that an open source software (not going to name any names), recently started attempting (during installation) to require complete root access to a server to operate properly and forces the scenario during installation on a Linux system.

Most users have access to directories (usually even symlinked from their home directories), inside a server like /var/www/html/USER/ - and then they can do basically whatever inside that directory including create a billion more sub directories, upload files, change permissions, whatever - especially if they access the server via shell, control panel or more than just FTP.

Now, this software installs with a certain pivotal directory (which contains several others and hundreds of files), and it requires it be located /var/www/HERE <--- a place most users could not access, as those directories would be off-limits to pretty much anybody but the server administrator(s) - in the vast majority of scenarios where people would install this software.

Adding insult to injury is the fact that the initial install locates the directory in a specific area and even begins installation with the directories in their default, nested and secure positions, assuming the permissions for those directories are set properly.

However, after one segment of installation, it is REQUIRED, by force, that those directories be moved - either manually or automatically. Well, automatically doesn't solve the permissions error that (even when installed as an administrator), never on a server is a nested installation file going to be able to have the permissions to drop down to the shell, and create directories in /var/www/ or anywhere else that far down to the root directory of a server. Yet, it offers this as an option (which I figured, hey, mind as well...) and then somehow deletes the nested directories it was trying to move (which mind you, I had already gone through the process of manually giving all of these directories (about half a dozen) proper chmod permissions in their original location - where they have been for years).

Fortunately I had backups of the directories and was able to play ball, sudo, make the proper directory further up and appease the installation process and return the software to working order - but there was also an alternative solution to edit an obscure configuration file in a manner which either stops throwing the security error (and stops loading the ENTIRE basic security data module / object through the entire software) - and likely another configuration option somewhere else to return the directories expected location to somewhere inside where a typical user could manage. The fact that this endeavor is forced upon the user is made extra strange by the fact that on my other server (non-*nix), this same software installed without trying to go through any kind of similar process or requiring any type of escalated access to the server environment.

Is the logic that these directories should never be exposed further into the server directory tree because then they would have a URL somewhere within the server? Because if so, that is absurd and there are a thousand other solutions (since forever) to handle that problem. It would be overkill to require that process entirely for security purposes, but maybe that is where we are at in the world now?



No comments:

Post a Comment

Why require escalated permissions?

Moving stuff to my server and find it pretty strange that an open source software (not going to name any names), recently started attempti...