Jump to content

Help With Permissions

kktran

By kktran
in CPanel and Site Maintenance

 Share

Recommended Posts

kktran Explorer

kktran

Posted
Posted

hi everyone,

 

this is my first post, so sorry if i'm asking a dumb question. :huh:

 

here goes:

 

in implementing an image resizer, i discovered that i needed to change permissions on my destination folder. the only way i got it to work was to set the permissions to 777 (user: rwx, group: rwx, world: rwx) on the specified folder.

 

but now i'm worried that i've just sent out an open invitation to hackers everywhere. the original permissions on the folder were 550 -- what should they be at minimum to allow my php script to write there?

 

thanks in advance for your help! :)

 

k*

Mav2u Collaborator

Mav2u

Posted
Posted

I think you can use a 775 or even try a 644 and see if those work. But I guess it depends on what program your using.

 

What script are you using? What's in the folder that you had to chmod to 777?

 

 

Mav

kktran Explorer

kktran

Posted
  • Author
Posted

thanks for the quick reply! Thumbs Up

 

i'm using this script: http://kentung.f2o.org/scripts/thumbnail/resize.txt

 

there's nothing in the folder (of course, until something is uploaded and written). it's the folder itself whose permission i had to change (i did this from the cPanel file manager).

 

775 and 644 don't seem to work. any other ideas? by the way, i'm using php.

 

thanks!

k*

Mav2u Collaborator

Mav2u

Posted
Posted

I don't for see a problem with that being 777 chmod. I have a few folders that I use for php that I use with that setting because it does need to have full permissions to enact it processes.

 

One of the TCH guru's will be able to tell you a little more about it for sure.

 

 

Mav

idallen Enthusiast

idallen

Posted
Posted

All PHP code runs with the permissions of the userid of the web server, not with your userid's permissions. That means that you must give the web server permission to write in selected places in your account, and files created will be owned by the web server, not by you.

 

The only way to let the web server write in your account using cPanel is to give parts of your account "general" write permissions (permissions for anyone to write), e.g. 666 for files and 777 for directories.

 

The dark side of this is that anyone located on your server running PHP can write or delete those same files using their own PHP scripts, if they know where your files are.

 

All PHP code has the same permissions, no matter where it is located or who runs it.

kktran Explorer

kktran

Posted
  • Author
Posted

RE: ian

 

yikes! that's what i had feared! :)

 

is it possible to chmod 777 directly before and after our scripts need to write to that folder? (effectively, only allowing select "windows" of general access.)

 

there must be some way to protect our folders; otherwise, it would seem that any server allowing back-end scripts write/exec access pose a security problem.

 

in my case, i'm taking uploaded images, resizing them, and writing them to a specified directory. should i save myself the permissions hassle and simply save them into my DB?

 

side question: do i take a performance hit by storing image files in my DB as opposed to simply leaving them in the file system?

 

thanks!

k*

idallen Enthusiast

idallen

Posted
Posted
So how or can we protect our files in this situation?
there must be some way to protect our folders; otherwise, it would seem that any server allowing back-end scripts write/exec access pose a security problem.
is it possible to chmod 777 directly before and after our scripts need to write to that folder? (effectively, only allowing select "windows" of general access.)

 

You cannot protect any publicly-accessible files that are writable from

PHP scripts on cPanel sites. If your PHP script can write these files,

anyone on your server can write a PHP script to also write these files

(if they know the file names).

 

If the files were created by the PHP script, the files are owned by

the web server ("apache"). That means your userid cannot change their

permissions. Any PHP script you write to change their permissions can be

over-ridden by any other user on your server writing another PHP script

to undo what you did. (All PHP scripts have equal permissions.)

 

If the files were created by you and given full write permissions (666)

so that your PHP scripts could write them, then anyone else's PHP scripts

can also write them. (In fact, with general write permissions, anyone

on your server can write the files even using CGI scripts or a login

shell account. General write permissions are a Very Bad Idea when you

are hosted on a shared server.)

 

No, you cannot securely create a folder with general write permissions

(777), let PHP create some files in the folder, then remove the general

write permissions (755). The folder is secure; but, the files are not.

The files will be owned by the web server, and although only you can

remove the files from your protected folder, any PHP script can overwrite

them (because the files themselves are owned by the web server).

 

Yes, you can create a file, give it 666 permissions, let a PHP script

write it, then you can set it back to 644 permissions to protect it again.

That does create only a small "window" of general access. The file must

be owned by you; PHP cannot create such a file. (If PHP creates it,

you can't change the permissions.)

 

Corollary: Anything your PHP script can access can be accessed the

same way by any other PHP script run by anyone sharing your server.

 

So don't even use PHP to *read* sensitive data.

 

NOTE: Unlike PHP, CGI scripts can be made secure. CGI scripts run using

the userid of the owner of the script (your userid), not the owner of

the web server. Therefore, your CGI scripts can read/write files that

only *you* can read/write, and nobody can mess with them but you.

idallen Enthusiast

idallen

Posted
Posted
So if I have a php form that reads a text file for the address to send to

and I set them both to read, execute, no write

is that safe?

Depends what you mean by "safe".

 

If the file is owned by you and has no general write permissions, and all the directories in which it resides are owned by you with no general write permissions, then PHP cannot write the file, rename it, or remove it from the directory. It's safe from writing.

 

If the file has general read permissions, and the directories in which it resides all have at least general execute permissions, PHP can access and read the file. (Execute permissions on a Unix directory means "you can pass through this directory to the files it contains".)

 

But, since PHP can read it, so can *all* PHP scripts written on your server, which might not be what you want if you want the address itself to be kept secret!

TCH-Don Grand Master

TCH-Don

Posted
Posted (edited)

Ok thanks,

my goal is to make sure someone

cannot rewite my config file to change where the form sends the data to.

So If I put the two files

mailit.php and the config text file

in a folder with no write permissions and the files have no write permissions,

and call mailit.php from another folder,

I think my goal is accomplished. :)

Edited by turtle
idallen Enthusiast

idallen

Posted
Posted

Note that when I said "directories" (plural), I really did mean *all* directories in the path from the root of the file system to your address file. If *any* of those directories has general write permissions, anyone's PHP (or CGI, or shell) script can rename or remove anything under that directory and replace it with its own stuff.

 

On a shared server, make sure there are no general write permissions anywhere in your account.

idallen Enthusiast

idallen

Posted
Posted
Thats sounds a little tough, since I have files in various place that I rewite.

If it is your userid that is doing the rewriting of your own files and directories, you don't need to give the files or directories general permissions; you need only grant specific permissions for your own userid. (Grant Unix "user" or "owner" permissions.) Granting yourself write permissions on your own files and directories does not let PHP scripts tamper with them.

 

PHP needs general write permission ("other"-type write permissions in Unix-speak) to change your files or directories.

 

Examples:

 

File mode 644 - you (your userid) can read/write; everyone else (including PHP) can only read.

 

Directory mode 755 - you can read/write/search; everyone else (including PHP) can only read and search.

 

Nothing in your account should have general write permissions.

  • 10 years later...
bstrouss Apprentice

bstrouss

Posted
Posted

I realize this topic is very old, but wondered if anything in Apache and/or MySQL or PHP had changed to plug this security hole on shared servers.

Thanks!

 

TCH-Bala Grand Master

TCH-Bala

Posted
Posted

Its been 10 years since the last post, lots of changes have been made to the server setup. Apache, PHP and MySQL has been upgraded many times since, but a major change I can point out is that we implemented suPHP, as mentioned HERE

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...