Hi everyone:
I have a dilemma. The host runs on Unix and does not allow chmod command to be executed from PHP files. But I need to write data into configuration PHP file from another PHP script. The only way how it may happen is by giving this configuration file a 0605 permission (i.e., write permission to "everyone").
I'm new to Unix. Can someone please explain the danger of doing this?
Is it bad to give "world" write perm. to .PHP file
Moderator: General Moderators
Yes, Its bad.
Imagine giving anyone the ability to run whatever php code they want: Code that exec()'s a shell, reads your files, serves sensitive documents (/etc/passwd) to the internet, and so on.
Giving write access to world in a web accessible directory is a recipe for insecurity.
Instead, put the file that needs to be written to in a non-web accessible directory.
Imagine giving anyone the ability to run whatever php code they want: Code that exec()'s a shell, reads your files, serves sensitive documents (/etc/passwd) to the internet, and so on.
Giving write access to world in a web accessible directory is a recipe for insecurity.
Instead, put the file that needs to be written to in a non-web accessible directory.
is it bad to give a suicidal maniac a loaded gun and tell him to try the trigger?Is it bad to give "world" write perm. to .PHP file
i don't know of any file that i would host in which giving the world write permissions would be good for. this is simply due to common sense security.
Roja has given you about the best solution. just be sure to make a few backups just in case
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
Well, thanks, pretty clear 
The point is I have no choice other than giving this PHP include file the write access (i.e. now it's 0606 and folder itself is 0755). It's a configuration file that could be written to from an admin access of the site. I brought up this issue to a sysadmin of the host and here's their reply:
My question:
Anyway guys, thanks for your help. The last question would be -- I found out that I can protect the directory with this writable PHP file using Apache with access control by filename.
Here's .htaccess I put into that folder:
It seems to block all the attempts to access this file from the browser, but does it make any difference regarding any other security threats?
The point is I have no choice other than giving this PHP include file the write access (i.e. now it's 0606 and folder itself is 0755). It's a configuration file that could be written to from an admin access of the site. I brought up this issue to a sysadmin of the host and here's their reply:
My question:
Their Answer:I'm trying to set up our PHP script to work but somehow chmod command on local files does not work. Is there any way to enable it?
Sad but true. It's a good host (fast and reliable) but they have those darn limitations (now I learn that sockets are allowed for SMTP and HTTP only -- ding it!)Only the owner & admin can change the file or folder permissions. PHP script don't has that permission. That is pretty much it, yes. Since PHP runs as user httpd, the process does not have the privileges that would allow it to manipulate the permissions of files owned by your user account. Other hosts may allow php_suexec in order to permit chmod() and other privileged functions. This has security issues of its own due to the broad access it gives to web server processes across the board. Either way, there will be a compromise between security and functionality. We've chosen the one that puts the fewest elements at risk in the event of an exploitable bug.
Anyway guys, thanks for your help. The last question would be -- I found out that I can protect the directory with this writable PHP file using Apache with access control by filename.
Here's .htaccess I put into that folder:
Code: Select all
<FILESMATCH "e;\.(php|inc)$"e;>
order deny,allow
deny from all
</FILESMATCH>