我的缓存解决方案安全吗?
我在 Nginx 和 Passenger 上的 Ubuntu 10.04 上运行 Rails 3.1。
在我的日志中,我可以看到以下大部分内容:
cache error: Permission denied - /var/www/redmeetsblue/releases/20120221032538/tmp/cache/B27
我通过更改用户名解决了问题(来自 Google 建议),但我不确定安全隐患。谁是无人?这安全吗?
/var/www/redmeetsblue/current/tmp/cache
total 16K
drwxr-xr-x 4 www-data root 4.0K 2012-02-20 22:27 .
drwxr-xr-x 3 root root 4.0K 2012-02-20 22:26 ..
drwxr-xr-x 54 www-data root 4.0K 2012-02-20 22:27 assets
drwxr-xr-x 3 www-data root 4.0K 2012-02-20 22:27 sass
root@y:/var/www/redmeetsblue/current/tmp# cd b27
-bash: cd: b27: No such file or directory
root@y:/var/www/redmeetsblue/current/tmp# cd B27
-bash: cd: B27: No such file or directory
root@y:/var/www/redmeetsblue/current/tmp# chown -R nobody cache
root@y:/var/www/redmeetsblue/current/tmp# ls -alh /var/www/redmeetsblue/current/tmp/cache
total 16K
drwxr-xr-x 4 nobody root 4.0K 2012-02-20 22:27 .
drwxr-xr-x 3 root root 4.0K 2012-02-20 22:26 ..
drwxr-xr-x 54 nobody root 4.0K 2012-02-20 22:27 assets
drwxr-xr-x 3 nobody root 4.0K 2012-02-20 22:27 sass
更改用户后,我的缓存正在工作,但我不确定它是否安全。查看工作缓存..
cache: [GET /assets/grid.png] stale, valid, store
cache: [GET /dashboards] miss
cache: [GET /assets/grid.png] stale, valid, store
I'm running Rails 3.1 on Ubuntu 10.04 on Nginx and Passenger.
In my logs I could see much of the following:
cache error: Permission denied - /var/www/redmeetsblue/releases/20120221032538/tmp/cache/B27
I solved the problem by changing the name of the user (from google advice) but I'm unsure of the security implications. Who is nobody? and is this secure?
/var/www/redmeetsblue/current/tmp/cache
total 16K
drwxr-xr-x 4 www-data root 4.0K 2012-02-20 22:27 .
drwxr-xr-x 3 root root 4.0K 2012-02-20 22:26 ..
drwxr-xr-x 54 www-data root 4.0K 2012-02-20 22:27 assets
drwxr-xr-x 3 www-data root 4.0K 2012-02-20 22:27 sass
root@y:/var/www/redmeetsblue/current/tmp# cd b27
-bash: cd: b27: No such file or directory
root@y:/var/www/redmeetsblue/current/tmp# cd B27
-bash: cd: B27: No such file or directory
root@y:/var/www/redmeetsblue/current/tmp# chown -R nobody cache
root@y:/var/www/redmeetsblue/current/tmp# ls -alh /var/www/redmeetsblue/current/tmp/cache
total 16K
drwxr-xr-x 4 nobody root 4.0K 2012-02-20 22:27 .
drwxr-xr-x 3 root root 4.0K 2012-02-20 22:26 ..
drwxr-xr-x 54 nobody root 4.0K 2012-02-20 22:27 assets
drwxr-xr-x 3 nobody root 4.0K 2012-02-20 22:27 sass
after changing the user, my cache is working, but I'm not sure if its safe. See working cache..
cache: [GET /assets/grid.png] stale, valid, store
cache: [GET /dashboards] miss
cache: [GET /assets/grid.png] stale, valid, store
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
nobody 用户通常用作 unix 守护进程所有者,这样他们就有足够的权限来完成自己的工作,但权限又不会过多,以免造成潜在的破坏性行为。在用户帐户下运行守护程序,它将无法写入系统日志等。在特权帐户(例如 root)下运行它不仅可以授予进程执行此操作的权限,还可以执行其他所有操作。因此,如果您的守护进程的进程受到损害,攻击者将有更多的自由来拥有您的服务器。服务器也可以以 root 身份启动(例如绑定到 TCP 端口 80 所必需的),然后将其权限放弃给用户 nobody。
The
nobodyuser in commonly used as unix daemons owners so that they have enough permissions to do their job, but not too many as to do potentially destructive naughtiness. Running the daemon under a user account, it wouldn't be able to for example write to the syslogs. Running it under a privileged account such as root gives the process permissions to do that, but also for everything else. So if your daemon's process is compromised, an attacker would have far more freedom to own your server. The server may also start as root (necessary for example to bind to TCP port 80) and then give up its rights to user nobody.