Setting Directory Permissions To Allow Php Writing Access

[Sebastian]

For some time I've been wondering:

What is the recommended way to make a directory writable for PHP?

 

On my localhost, I set www as the owner of the directory and myself as the group. This way I don't have to grant access everyone.

With my sites hosted on TCH I don't think I'm able to work like that — at least my FTP client doesn't offer a way to change the owner and/or group of a file/directory. Also, www doesn't seem to be part of the defaolt group either, as I only get writing permission when granting writing access to everyone.

But setting permissions like (writable for everyone) doesn't strike me as advisable…

 

So where's the mojo?

 

Sebastian

[TweezerMan]

PHP scripts run as the user 'nobody'. A typical directory on your account will be owned by your user ID, and you cannot change the owner or group of a directory (this can only be done by the 'root' superuser). To grant a PHP write permissions in a directory owned by you, the only option you have is to set the directory's permissions to 0777 (world-writeable). There is some security risk in this, so you should not set 0777 permissions on more directories than necessary, but this is a "necessary evil" in a shared server environment.

[Sebastian]

Thanks for the reply!

And if you can live with this necessary evil, so can I!

I was a little concerned with creating a security breach by setting permissions like that and thereby breaking some rule that I didn't know about, but should have.

So I wanted to make sure I was doing things "the right way".

 

Thanks again,

Sebastian

[MikeJ]

On a shared hosting platform with the webserver running as 'nobody', there is really little difference between a world writable directory, and a directory owned by 'nobody', so either method will really provide you almost the same level of security (or lack of it). Just as David stated, use those permissions sparingly.

[sifu]

Like Sebastian, I am also interested in learning more about the dangers of 777. A very interesting topic that I am quite concerned about.

 

From my limited experience, I have seen that many common php applications require that some directories be made 777 to allow for a level of interactivity with site users.

 

The ones that immediately come to mind that I have used are:

 

PHP Nuke

Gallery

Coppermine

Various chat modules

phpbb attachment mod.

 

I have read on the web that some webmasters will not under any circumstances 777 a directory.

 

But, if we need to do it to make a program workl, what can we do to limit the exposure?

 

Or, in other words, what methods do people employ to upload things into those directories that we don't want them to, such as nasty scripts? I am asking from the point of view of how do I stop it ?

 

Appreciate any advice here.

[TweezerMan]

From my limited experience, I have seen that many common php applications require that some directories be made 777 to allow for a level of interactivity with site users.

Generally, PHP scripts will require setting a directory with 0777 permissions because *you* will create the directory, so it will be owned by you, but the PHP script needs to create or modify files in that directory (which could be something as innocent as a configuration file). If you own a directory, the only way you can allow a PHP script permission to create and modify files in a directory that the user 'nobody' does not own is for you to set the directory permissions to 0777.

 

Or, in other words, what methods do people employ to upload things into those directories that we don't want them to, such as nasty scripts? I am asking from the point of view of how do I stop it ?

Allowing anonymous, untrusted users to upload anything to your account is a huge security risk. If you must allow them, restrict the extensions of files that they can upload (such as .jpg and .gif for pictures). If they can upload .html and .php files, you're just asking for your site to be hacked.

 

If your site accepts form data submitted from anonymous, untrusted users, make sure your code properly filters and escapes all fields that are submitted, so arbitrary commands and data cannot be injected into your script.

 

If you can, you should set up a separate directory for anonymous uploads that is not under your public_html directory where you can review what has been uploaded before allowing it onto your site.

 

If you're careless with your FTP account names and passwords, malicious code can be uploaded to your site via FTP as well.

 

Make sure you've installed the latest releases of popular scripts such as phpBB or phpNuke, so you have the latest security updates. Hackers frequently target insecure installations of various forum scripts, exploiting known security holes.

 

You should understand that the primary security risk of setting file and directory permissions to 0777 is that anyone with an account on the same server you're on theoretically can access those files and directories. However, TCH does a good job of screening customers, and if one of them does decide to do something malicious, they are quickly tracked down and their account is terminated.

 

Having a script on your account that allows anonymous, untrusted users to upload content to a directory that has 0777 permissions opens up that directory to not just other TCH customers on your server, but to anyone on the internet. Personally, I consider this an unacceptable risk and I won't run any scripts on my site that allow anonymous, untrusted users to upload content to my site.

 

Of the scripts you list, I do run a Coppermine photo gallery. I did not want any Coppermine directories or files to have 0777 permissions, so I modified Coppermine to run as a CGI - meaning it runs under my user ID instead of as 'nobody', and I no longer need to have any directory with 0777 permissions. I don't allow anonymous users upload anything at all.

 

This is by no means a complete list - security is more of a continuing process than an end result.

[sifu]

David

 

Thank you for taking the time to post a very detailed response to my query. I understand the issues a little more clearly now, and will remember to be nervous whenever a package wants 777.

 

I have installed the Attachment Mod on my board, similar to the one here on the TCH forums. I have restricted the allowed extensions via the board admin settings to images and zips. I have disallowed all other extensions and some extensions, such as php scripts, are disallowed from within the script.

 

I do not have any FTP accounts.

 

In your opinion does this provide an acceptable level of security or are there some more measures I can take ?

 

Could people still access the attachments directory directly, outside of the board ? The directory does contain an index.php which has been written so at deny access to the directory from a browser.

 

Regards

[TweezerMan]

I've never run a forum on my site, so I'm not familiar with the Attachment mod you mentioned, but I'll go ahead and make some observations anyway...

 

I have installed the Attachment Mod on my board, similar to the one here on the TCH forums. I have restricted the allowed extensions via the board admin settings to images and zips. I have disallowed all other extensions and some extensions, such as php scripts, are disallowed from within the script.

Unless you have a need to allow .zip files to be uploaded, I would be concerned about allowing people to upload them as they can contain files of any extension within them. Beyond that, restricting uploads only to known image file extensions is a good step. A good approach to securing a site is to deny permission for everything by default, then explicitly grant permission for the few things you want to allow.

 

Could people still access the attachments directory directly, outside of the board ? The directory does contain an index.php which has been written so at deny access to the directory from a browser.

If the attachments directory is within your public_html directory, yes, it can be accessed from a browser. The index.php does not deny access to the directory - what it does is prevent someone from listing the directory in their browser.

 

If someone knows a file name in that directory, that file can be accessed directly in a browser. To prevent this, you could set up an .htaccess file in that directory:

>Order Deny,Allow
Deny from all

Then the files could only be accessed from a script and not directly from a browser.

 

In your opinion does this provide an acceptable level of security or are there some more measures I can take ?

I don't know enough about your site or your forum software to judge whether its security is acceptable or not. Also, security is always a trade-off - you have to judge for yourself whether a particular risk is worth the effort of defending against or not. The only truly secure site is one that is not on the internet - but such a site would not be of much use to you or your visitors. Part of your job as site owner is to choose a balance between what you will allow visitors to do on your site and what they will not be allowed to do in the interest of security because it could be abused by a malicious visitor.

 

It does sound like you're heading in the right direction though.

[timo]

Hi,

 

Suffered from a PHP directory problem also, found the solution here

http://www.fixya.com/support/t879522-php_trouble

 

It's very simple,

Timo.

[TCH-Bruce]

Thanks for the info and welcome to the forums Timo.

 

You do realize this thread is almost 3 years old.