Simpe question about chmod 777

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Maugrim_The_Reaper wrote: Directories do NOT require execute permissions. Read allows access to internal files, or a file listing. Execute permissions allow it to be set as a working directory, i.e. accessed via ssh or other. So 777 is not a good setting for a directory.
I'm not sure that is correct. Execute permission on a directory mean that you can traverse it. Try setting a folder on an Apache web server to chmod 444, (r--r--r--) and then try to pull it up on a browser. You will get a forbidden error regardless of who the folder is owned by.

It's not the php application that requires the high permissions on a folder. A folder is accessible (by a script) just fine with 555 (r-xr-xr-x). If you have a script which needs to write to that folder though, you have to make the directory writeable by the user the script is running under. If the script user was the owner of the folder, the script would work just fine (reading and writing to the folder, not running from the folder) with permissions as low as 644 (rw-r--r--), but with permissions that low, you again run into the problem that the directory is no longer traversable by apache, and internet users will get a forbidden error. In order for users to be able to access the files in the folder, the folder must have execute (traverse) permissions, which brings you back up to 755 (rwxr-xr-x) at the very least. On top of all that if Apache isn't running under the same user who owns the folder, (which it hardly ever is) your back up to 777 again just to get it working. That is why.
Maugrim_The_Reaper wrote: Not even files need 777 in most cases. If an application states that as a requirement there's a good chance its dead wrong and its encouraging you to practise bad security. Unfortunately its common...
This is true. Unless a php script requires write access to itself, it should run just fine at 555 (r-xr-xr-x). An upload script would be fairly secure IF it chmod'ed all uploaded files to something like 444 (r--r--r--). You could even go as far as running a cron job to verify permissions.
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Here is the workaround I came up with for my situation with the upload folder. I deleted the upload folder and its contents and recreated it using mkdir() in php (so that the folder would be owned by 'nobody'). Now the folder can be fully functional with chmod 755. Am I good to go with this? Let me know if this works and is a secure solution. Thanks!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Sounds like a great solution. Just make sure the uploaded files get chmod'd to 644 or preferably 444 if it works.
Destiny
Forum Newbie
Posts: 4
Joined: Sun Sep 10, 2006 6:11 am

Post by Destiny »

Okay, I know this topic is a bit old, but still... I want to start the discussion again.

I read all posts, still I am not sure what to do.
I am the creator of a php photoblog script, which is used by quite a lot of people.
I have an image directory, and in the image directory, a thumbnail directory. My script needs full access to the thumbnail directory, which means it has to be able to create, modify and delete files within it. Which leaves me to 777 I think, because it doesn't work with anything except 777.
I have tried creating the folder with php, but it wouldn't work (at least not on my server).
Now I can't make things too complicated, as this script is supposed to be used by many people, people that are not familiar with lots of security settings. So it should be easy to use.
Do I have any possibilities left besides chmoding to 777? I wouldn't really know how to solve this with better coding....

thanks in advance...
wei
Forum Contributor
Posts: 140
Joined: Wed Jul 12, 2006 12:18 am

Post by wei »

Here is another question. If PHP creates a directory with permissions, 755 (rwxr-xr-x), and then creates another directory within that directory with 755 (rwxr-xr-x). Assume the server is configure such that these created directories are owned and grouped by the server process and hence writable by PHP.

Now there are some implications,

1) the disk quota for these files do not belong to the user account.
2) the inner directory can not be deleted with an user account, chown is required, but no permission
3) only the php/web server process has permission (or root) to delete these files, and it means creating
a script to be run in the web server to delete these directories (or chown them)

Are there any solutions in an shared server enviornment to the above implications? That is, 1) have correct quote, and 2) the user account is able to delete those files and directories?
Post Reply