|
|
|
|
|
|
by jamessocol
5076 days ago
|
|
|
I agree with all of your advice about hardening most servers, but a couple of things... > In the case of PHP, there is no security concern by it just sitting on your hard drive. It's a surface area question. I could go into more details of the history of why it was there and configured (if you read further, you'd see that it was part of our puppet manifests, and for a reason). But you reduce the surface area of attack by reducing the number of things that can execute arbitrary code. And if you aren't using PHP at all, "yum remove php" saves you disk space and surface area, even if you have another colossal screw up (like we did). > The most it could affect a user by itself is due to some temp file race someone might be able to take advantage of. Well, the most it could do is, if you've screwed up someplace else, execute arbitrary code as the webserver user on the machine, thanks to the backtick operator. |
|
|
Advocating a smaller surface area in your example is the same thing as telling someone to buy a bigger/better lock to protect their door. Sure, it makes your door more secure by reducing the "surface area" of a lesser-designed lock. But if you had done the basic auditing of the outside of the building, you'd see the huge glass window fitted next to the door - which may not be "exploited" yet, but all someone needs is the right size rock.
Tuning your services and filesystem perms is equivalent to putting bars on the window. It doesn't make penetration impossible, but it does a lot more general good than a bigger lock.