Does read-only file system access guarantee a write access?

Question

Hello,

I am developing a web application and I am wondering if someone has a full read-only access to my filesystem, can this person (assuming that he is aware of everything necessary) have a write access to the system?

For example, if you have a PHP script that outputs contents of any files on the server - will someone really be able to gain a write access to the system somehow? Like... can he rewrite the PHP script?

I'm talking about web servers... so both Windows & Linux related comments are welcome. Also, are there cases where the cracker could have a write access to most files, but not to all on the system?

I'm just curious. To sum up: "Can a PHP local file include vulnerability ever give the cracker a write access to the files?"

Answer 1

A malicious user could download your password file and get cracking, or perhaps read the MySQL user table and get the password for your MySQL root user. Then use that user to gain further access using a privilege escalation exploit or something similar.

Substitute password file for registry (or SAM) and MySQL for MSSQL and the same argument works on Windows. No, it won't be very easy but yes, they will succeed.

Do not give anyone full (read) access to your system, ever!

Let me rephrase. If I have a PHP application running and someone can read my PHP files through an insecure PHP script and has a read-only DB access, will he be able to crack my whole server?

Perhaps. The probability of someone being able to hack your server in that situation is non-zero, therefore you cannot afford allow such a security hole to exist. They may not be able to rewrite your PHP script, but a read-only db user can perfectly use an exploit in the database server for example.

Answer 2

Any accounts which have write access to a given directory have the potential of being exploited.

Security is all relative. Attackers don't follow rules and they won't necessarily pick the attack vector you've hardened against. If you're concerned, make it so that only a select group of users can write to a directory. Do not include service/daemon accounts in this group. Use limited accounts for daily use. Follow good password policies (length, complexity, change frequency, etc.). Limit your attack surface by closing unused ports, etc.

You may even go so far as to encrypt the file-system. This introduces complexity and there's a chance you'll get it wrong . If you're really concerned, you can take a pessimistic security stance and deny everyone any access except the bare minimum they need to do the job you've assigned them.

In the end, even if you're the only one with 'technical' access to a resource, you could still be tricked or blackmailed or otherwise coerced into granting access. The best you can do is make attacks difficult--not impossible.