protect 777 folder?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

protect 777 folder?

Post by tsg »

After recently being hacked, I am trying to secure things up. I have a photo system where the script has to create folders and folders for images inside one main folder, phtots. I don't see a way around not having the main photos folder set to 777.

The photos folder only holds images, no php files.

Is there a way to make this folder more secure? Maybe an .htaccess file to only allow like JPG images in the folder & subfolders to be written & read?
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

may be a CHOWN

Post by Jaxolotl »

may be the solution is around a CHOWN mask? anyone has something to say about this option?
TheProgrammer
Forum Newbie
Posts: 22
Joined: Mon Nov 27, 2006 12:25 am

Post by TheProgrammer »

Can't you set the folder to lower priority then every time you have to change something in it, use

Code: Select all

chmod("folder_path", 0777);
Then when the operation is done set it back to low priority, also with chmod.
Anyway.. why 777? If the script is on the server give it right only for the owner.
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

chown ... how do you find the correct id to use?

777 because it seems to be the only permissions that will work to get the script to created the folders. Maybe if I can figure out the chown, that will fix that.
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

Think I have come up with a solution of sorts, at least not allow scripts to be executed

.htaccess file:

Code: Select all

AddType text/plain  .txt .php .html .htm .doc .exe .cgi
This way, php and the other file types listed above will only be displayed as text.

But, to be able to limit what is added to the folder through htaccess would be better.
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

Post by Jaxolotl »

TheProgrammer wrote:Can't you set the folder to lower priority then every time you have to change something in it, use

Code: Select all

chmod("folder_path", 0777);
Then when the operation is done set it back to low priority, also with chmod.
Anyway.. why 777? If the script is on the server give it right only for the owner.
Some times the owner is different for example on FTP permissions and script permissions, for example the owner could be johndoe for FTP and for scripting is APACHE, so you should first upload the whole script with another script, by doing this the script will be APACHE as owner and can create and modify folders(they are files too) and files.

Anyway the procedure you're talking about is a good first solution, you enable the permissions before running the upload or creating script and when you're done you disable them. It slow (very) but efficient.

by the way the suggested use of CHMOD is in octals as shown on PHP manual

Code: Select all

<?php
chmod("/somedir/somefile", 755);  // decimal; probably incorrect 
chmod("/somedir/somefile", "u+rwx,go+rx"); // string; incorrect     
chmod("/somedir/somefile", 0755);  // octal; correct value of mode
?> 
http://it2.php.net/manual/en/function.chmod.php

PS. to set up the CHOWN permissions you must have the superuser wrights
http://it2.php.net/manual/en/function.chown.php

I never use this function "chown()" before, if someone did it please teach us
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

The only secure way is to not have a 0777 directory. Either write the files to this directory using FTP or find a host running SuExec (which allows PHP to run under user IDs different from the user ID of the calling web-server).
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

The permissions 777 mean the owner has read/write/execute permissions, the owner's group has read/write/execute permissions, and the world has read/write permissions. You could almost certainly get away with removing the worlds permissions, since it will always be apache serving up the files. I'd try changing the permissions to 600. That will mean the owner (I'm assuming apache, or whatever user PHP is running is the owner) has read/write but not execute permissions, and no one else has any permissions at all. This way at least, the hacker will have to act as either apache or root to affect the folder.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

I have tried every possible permission configuration and the only way for the script to be able to create a new folder in a directory is to set the main folder that holds the photos to 777.

I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.

I have also tried the change from 755, to 777 ... process and back to 755 ... but at 755 it won't allow the script to chmod.
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

check configuration

Post by Jaxolotl »

may be ( mostly shure) the script you're running has a chmod check status, like

Code: Select all

if (!eregi("777",decoct(fileperms($dir_store)))){
}
or something like that
try to change this configuration into a "600" permission type (as pickle said) an then change the folder permission into 600 , then check if it works
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

pickle wrote:I'm assuming apache, or whatever user PHP is running is the owner
That is not going to help in any way. Since the webserver is not the owner of the directories they would need 0777 permission for the webserver to be able to write to them in the first place (unless of course it is running under SuExec).
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

tsg wrote:I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.
That is no security feature whatsoever. Any danger comes directly from the file system itself. .htaccess is just a set of instructions for the webserver. And the most likely vunerability to the file system will come from the webserver itself or a CGI run under its ID.
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

bokehman wrote:
tsg wrote:I am going to be adding an .htaccess file so that everything that is in the folder will be read as a jpg, so at least no scripts can be run from there.
That is no security feature whatsoever. Any danger comes directly from the file system itself. .htaccess is just a set of instructions for the webserver. And the most likely vunerability to the file system will come from the webserver itself or a CGI run under its ID.
yea, but from what I am seeing, and in theory, the hacker would have to be able to upload and execute a file to a directory with 777 permission. If that directory was set with an htaccess file to only mime files as jpgs, then the malicious script they uploaded won't run.

In theory, and I have tested, and php files just show as a link name.

I am no security expert, that is why I am trying to figure this all out.

Thanks
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

If a hacker has sufficient access to the server to write a script to this directory he is already capable of running scripts so it wouldn't matter what you prevent in this particular directory. He can also read any files that contain SQL access passwords. Also if you are going to go this route just send a 404 if the file is not an image and make certain the .htaccess file is not writeable.

I guess all this is better than nothing but SuExec would provide much better security. And none of the above stops the hacker using your site to serve up a load of porn images.
Post Reply