protect 777 folder?
Moderator: General Moderators
protect 777 folder?
After recently being hacked, I am trying to secure things up. I have a photo system where the script has to create folders and folders for images inside one main folder, phtots. I don't see a way around not having the main photos folder set to 777.
The photos folder only holds images, no php files.
Is there a way to make this folder more secure? Maybe an .htaccess file to only allow like JPG images in the folder & subfolders to be written & read?
The photos folder only holds images, no php files.
Is there a way to make this folder more secure? Maybe an .htaccess file to only allow like JPG images in the folder & subfolders to be written & read?
- Jaxolotl
- Forum Contributor
- Posts: 137
- Joined: Mon Nov 13, 2006 4:19 am
- Location: Argentina and Italy
may be a CHOWN
may be the solution is around a CHOWN mask? anyone has something to say about this option?
-
TheProgrammer
- Forum Newbie
- Posts: 22
- Joined: Mon Nov 27, 2006 12:25 am
Can't you set the folder to lower priority then every time you have to change something in it, use Then when the operation is done set it back to low priority, also with chmod.
Anyway.. why 777? If the script is on the server give it right only for the owner.
Code: Select all
chmod("folder_path", 0777);Anyway.. why 777? If the script is on the server give it right only for the owner.
Think I have come up with a solution of sorts, at least not allow scripts to be executed
.htaccess file:
This way, php and the other file types listed above will only be displayed as text.
But, to be able to limit what is added to the folder through htaccess would be better.
.htaccess file:
Code: Select all
AddType text/plain .txt .php .html .htm .doc .exe .cgiBut, to be able to limit what is added to the folder through htaccess would be better.
- Jaxolotl
- Forum Contributor
- Posts: 137
- Joined: Mon Nov 13, 2006 4:19 am
- Location: Argentina and Italy
Some times the owner is different for example on FTP permissions and script permissions, for example the owner could be johndoe for FTP and for scripting is APACHE, so you should first upload the whole script with another script, by doing this the script will be APACHE as owner and can create and modify folders(they are files too) and files.TheProgrammer wrote:Can't you set the folder to lower priority then every time you have to change something in it, useThen when the operation is done set it back to low priority, also with chmod.Code: Select all
chmod("folder_path", 0777);
Anyway.. why 777? If the script is on the server give it right only for the owner.
Anyway the procedure you're talking about is a good first solution, you enable the permissions before running the upload or creating script and when you're done you disable them. It slow (very) but efficient.
by the way the suggested use of CHMOD is in octals as shown on PHP manual
Code: Select all
<?php
chmod("/somedir/somefile", 755); // decimal; probably incorrect
chmod("/somedir/somefile", "u+rwx,go+rx"); // string; incorrect
chmod("/somedir/somefile", 0755); // octal; correct value of mode
?> PS. to set up the CHOWN permissions you must have the superuser wrights
http://it2.php.net/manual/en/function.chown.php
I never use this function "chown()" before, if someone did it please teach us
The permissions 777 mean the owner has read/write/execute permissions, the owner's group has read/write/execute permissions, and the world has read/write permissions. You could almost certainly get away with removing the worlds permissions, since it will always be apache serving up the files. I'd try changing the permissions to 600. That will mean the owner (I'm assuming apache, or whatever user PHP is running is the owner) has read/write but not execute permissions, and no one else has any permissions at all. This way at least, the hacker will have to act as either apache or root to affect the folder.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
I have tried every possible permission configuration and the only way for the script to be able to create a new folder in a directory is to set the main folder that holds the photos to 777.
I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.
I have also tried the change from 755, to 777 ... process and back to 755 ... but at 755 it won't allow the script to chmod.
I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.
I have also tried the change from 755, to 777 ... process and back to 755 ... but at 755 it won't allow the script to chmod.
- Jaxolotl
- Forum Contributor
- Posts: 137
- Joined: Mon Nov 13, 2006 4:19 am
- Location: Argentina and Italy
check configuration
may be ( mostly shure) the script you're running has a chmod check status, like
or something like that
try to change this configuration into a "600" permission type (as pickle said) an then change the folder permission into 600 , then check if it works
Code: Select all
if (!eregi("777",decoct(fileperms($dir_store)))){
}try to change this configuration into a "600" permission type (as pickle said) an then change the folder permission into 600 , then check if it works
That is not going to help in any way. Since the webserver is not the owner of the directories they would need 0777 permission for the webserver to be able to write to them in the first place (unless of course it is running under SuExec).pickle wrote:I'm assuming apache, or whatever user PHP is running is the owner
That is no security feature whatsoever. Any danger comes directly from the file system itself. .htaccess is just a set of instructions for the webserver. And the most likely vunerability to the file system will come from the webserver itself or a CGI run under its ID.tsg wrote:I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.
yea, but from what I am seeing, and in theory, the hacker would have to be able to upload and execute a file to a directory with 777 permission. If that directory was set with an htaccess file to only mime files as jpgs, then the malicious script they uploaded won't run.bokehman wrote:That is no security feature whatsoever. Any danger comes directly from the file system itself. .htaccess is just a set of instructions for the webserver. And the most likely vunerability to the file system will come from the webserver itself or a CGI run under its ID.tsg wrote:I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.
In theory, and I have tested, and php files just show as a link name.
I am no security expert, that is why I am trying to figure this all out.
Thanks
If a hacker has sufficient access to the server to write a script to this directory he is already capable of running scripts so it wouldn't matter what you prevent in this particular directory. He can also read any files that contain SQL access passwords. Also if you are going to go this route just send a 404 if the file is not an image and make certain the .htaccess file is not writeable.
I guess all this is better than nothing but SuExec would provide much better security. And none of the above stops the hacker using your site to serve up a load of porn images.
I guess all this is better than nothing but SuExec would provide much better security. And none of the above stops the hacker using your site to serve up a load of porn images.