Is it bad to give "world" write perm. to .PHP file

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dc2000
Forum Newbie
Posts: 5
Joined: Mon May 09, 2005 8:49 pm

Is it bad to give "world" write perm. to .PHP file

Post by dc2000 »

Hi everyone:

I have a dilemma. The host runs on Unix and does not allow chmod command to be executed from PHP files. But I need to write data into configuration PHP file from another PHP script. The only way how it may happen is by giving this configuration file a 0605 permission (i.e., write permission to "everyone").

I'm new to Unix. Can someone please explain the danger of doing this?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Yes, Its bad.

Imagine giving anyone the ability to run whatever php code they want: Code that exec()'s a shell, reads your files, serves sensitive documents (/etc/passwd) to the internet, and so on.

Giving write access to world in a web accessible directory is a recipe for insecurity.

Instead, put the file that needs to be written to in a non-web accessible directory.
dc2000
Forum Newbie
Posts: 5
Joined: Mon May 09, 2005 8:49 pm

Post by dc2000 »

Instead, put the file that needs to be written to in a non-web accessible directory.
You mean directory other than htdocs?
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

Is it bad to give "world" write perm. to .PHP file
is it bad to give a suicidal maniac a loaded gun and tell him to try the trigger?

i don't know of any file that i would host in which giving the world write permissions would be good for. this is simply due to common sense security.

Roja has given you about the best solution. just be sure to make a few backups just in case ;)
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

dc2000 wrote:
Instead, put the file that needs to be written to in a non-web accessible directory.
You mean directory other than htdocs?
in the directory above the root of your webfolder
dc2000
Forum Newbie
Posts: 5
Joined: Mon May 09, 2005 8:49 pm

Post by dc2000 »

Well, thanks, pretty clear :)

The point is I have no choice other than giving this PHP include file the write access (i.e. now it's 0606 and folder itself is 0755). It's a configuration file that could be written to from an admin access of the site. I brought up this issue to a sysadmin of the host and here's their reply:

My question:
I'm trying to set up our PHP script to work but somehow chmod command on local files does not work. Is there any way to enable it?
Their Answer:
Only the owner & admin can change the file or folder permissions. PHP script don't has that permission. That is pretty much it, yes. Since PHP runs as user httpd, the process does not have the privileges that would allow it to manipulate the permissions of files owned by your user account. Other hosts may allow php_suexec in order to permit chmod() and other privileged functions. This has security issues of its own due to the broad access it gives to web server processes across the board. Either way, there will be a compromise between security and functionality. We've chosen the one that puts the fewest elements at risk in the event of an exploitable bug.
Sad but true. It's a good host (fast and reliable) but they have those darn limitations (now I learn that sockets are allowed for SMTP and HTTP only -- ding it!)

Anyway guys, thanks for your help. The last question would be -- I found out that I can protect the directory with this writable PHP file using Apache with access control by filename.

Here's .htaccess I put into that folder:

Code: Select all

<FILESMATCH &quote;\.(php|inc)$&quote;>
order deny,allow
deny from all
</FILESMATCH>
It seems to block all the attempts to access this file from the browser, but does it make any difference regarding any other security threats?
Post Reply