php:7.3-apache-buster - Lack of Security (chmod)

[nupplaphil]

I'm using this image as a base for the Friendica images (see https://github.com/friendica/docker)
Recently @zem opened this issue: friendica/docker#165

I'm not able to fully check his suggestions and more, I think a lot of his suggestions should be addressed at this repository :)
I quote friendica/docker#165 (comment) so we can discuss it here:

Basically as I use docker.io/library/friendica:latest the first thing I do after podman-exec into it is:

root@friendica:/var/www/html# ps -eaf
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 Sep10 ?        00:00:05 apache2 -DFOREGROUND
www-data      93       1  0 Sep10 ?        00:00:11 apache2 -DFOREGROUND
www-data      95       1  0 Sep10 ?        00:00:06 apache2 -DFOREGROUND
www-data      96       1  0 Sep10 ?        00:00:07 apache2 -DFOREGROUND
www-data      97       1  0 Sep10 ?        00:00:09 apache2 -DFOREGROUND
www-data      98       1  0 Sep10 ?        00:00:07 apache2 -DFOREGROUND
www-data     132       1  0 Sep10 ?        00:00:07 apache2 -DFOREGROUND
www-data     291       1  0 Sep10 ?        00:00:05 apache2 -DFOREGROUND
www-data     292       1  0 Sep10 ?        00:00:06 apache2 -DFOREGROUND
www-data     311       1  0 Sep10 ?        00:00:05 apache2 -DFOREGROUND
www-data     312       1  0 Sep12 ?        00:00:00 apache2 -DFOREGROUND
root         313       0  0 20:42 pts/0    00:00:00 bash
root         317     313  0 20:43 pts/0    00:00:00 ps -eaf

The things we learn here is that it is using apache and apache does chown() to www-data as soon as it has claimed port 80. We need that Information later.

Let us have a look for any obvious permissions:

root@friendica:/var/www/html# find / -type d -perm 0777 2>/dev/null 
/run/lock/apache2
/run/apache2
/usr/src/friendica/view/smarty3
/var/log/apache2
/var/www/html
/var/www/html/view/smarty3
root@friendica:/var/www/html# find / -type f -perm 0777 2>/dev/null 
/var/www/html/view/smarty3/.gitignore

drwxrwxrwx 2 www-data www-data 6 Sep 3 16:26 /run/lock/apache2
This one should be at least chmod 755 ; chown www-data.root however in my opinion chmod 700 ; chown www-data.www-data will work fine as well.

drwxrwxrwx 1 www-data www-data 25 Sep 10 16:09 /run/apache2
run apache containd the pid of the running apache process which is written when apache is still root, so chown root.root ; chmod 755 is what debian sets on this one.

drwxrwxrwx 2 www-data www-data 72 Sep 3 16:26 /var/log/apache2
This should be chown root:adm ; chmod 750 apache2 will open those logs when it is still root. This makes it impossible for processes running as www-data to modify apache logs, making it harder for attackers to hide their footprints.

drwxrwxrwx 1 www-data www-data 430 Sep 10 16:09 /var/www/html
This should be chown root:root chmod 755 as with all the files in there chmod 644 readable for the www-data user but not writeable.

[...]

So far all my findings I hope it helps.

[yosifkit]

Every time we've added a chmod 777 to a directory was to support running as an arbitrary user/group #743, #745, #754, #755, #787. I.E. so that docker run --user [any-id]:[any-group] php:... just works. This assumes that they have --sysctl net.ipv4.ip_unprivileged_port_start=0 or a new enough docker when using a "privileged" port like 80.

For example, the wordpress image also uses these php images and so can start as an arbitrary user, but that user needs access to write the initial WordPress files into /var/www/html (which is a volume to support WordPress managing itself after the first start).