Directory permissions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Directory permissions

Post by Luke »

is it potentially dangerous to set directory permissions to 777? If so, are there exceptions?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Yes, it is potentially dangerous because you are giving the world read/write/execute priviledges on that folder and subsequent folders below it. A lot of times, apps will stipulate that a directory needs to be that way (like for file uploads and content editing that is file-based). There is an alternative, but it kind discriminates against shared hosting accounts. That is, when the server needs to be written to, assign the server as the owner of the folder so it can do what it needs to without the app needing permission.

I ran into this with AKA Panama Jack's Template Like compiling feature. It is actually nice to have write access to the server without having to let the world have that access as well. Of course, my server is a dedicated server and if you don't have root access, then I don't think you can change the ownership of a folder, just the permissions.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: Directory permissions

Post by timvw »

The Ninja Space Goat wrote:is it potentially dangerous to set directory permissions to 777?
It's plain stupid (unless it's absolutely required, but untill now these situations have been very, very rare)
The Ninja Space Goat wrote: If so, are there exceptions?
No.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I have a php-based file management system that can create directories, but unless chmod is set to 777, you can't read the files from it. I am scrapping this program eventually, but for now, I'd like to keep it as secure as possible. What could I do differently than give full permissions to all? (I can't really post any code right now, but I will tomorrow when I am at work)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Are you on a shared or dedicated server? What is your server software and OS?
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

The biggest problem with permissions isn't so much the attribute setting as it is the file and directory ownership.

Usually you will not have a problem with permissions on most shared hosting sites. This is because the ownership of files and directories created through an FTP upload or a file manager similar to CPanel will have the SAME ownership as Apache/PHP. In those cases you can usually get by with permissions set as low as 0700 (only the owner can read, write and execute).

The problem usually comes with dedicated servers where the FTP accounts have different owners and groups than the one used by Apache/PHP. So when you upload files through your FTP account the ownership of the files and directories do not match the owner or group executing Apache/PHP. Then you have to set the OTHER owner attributes for those files and directories to be accessed. That in conjunction with the owner and group attributes being set means anyone can access the files and directories.

If at all possible the FTP account should have at least the same group ownership as Apache/PHP. Then the highest attribute setting you would need is 0770 but that would mean that anything in that group could access those files and directories.

Like I said most commercial shared hosting already has everything setup so you don't have to worry about the permissions as much. But since there are so many home grown and dedicated servers that have ownership settings that aren't quite right many developers, especially of open source programs, just require 0777 for directory attributes. It's easier to do that than try to explain in the documentation how to find the ownership of the Apache/PHP process your site is using and then chown your directories to match.

Plus some dedicated and almost all shared hosting services have the ability to chmod and chown through PHP and/or FTP disabled for security reasons.

On some of my recent stuff I have just taken to using the is_writable PHP function to check if I can write to a directory and then throwing an error detailing the problem and what needs to be done to fix it. I don't even check for permissions anymore because of the ambiguities of so many different server configurations out there.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

The Ninja Space Goat wrote:unless chmod is set to 777, you can't read the files from it
I don't believe you. Only one of (user-group-others, the one that belongs to the the userid that is running the webserver) needs rights to read the file (and thus execute and write are not needed)..
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

A directory should only require chmod 764 to read, files only need 744. As a rule of thumb you should try these where write permissions are not required by any user/process outside of the owner.

I find the largest problem with 777 recommendations is that they are the most permissive and assume the user can't handle permissions. I would suggest you figure out:

User Apache/PHP runs as
Whether FTP uploads files and sets Apache as owner
What permissions a file is given by Apache itself (when PHP writes one)
Whether permissive "Other" permission sets are needed (one would hope not - even if it means you need to use PHP itself to delete the files)

Something along those lines will let you profile how permissions work on your server/shared host account, letting you make more informed permission decisions. It's the worth the trouble if it will give an out from using 777.

On a sidenote, several open source PHP apps actually detect 777 permissions directly which is annoying. They report errors even when PHP can read/write under a lesser permission level.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

I've had problems with CHMOD before. I've often not bothered looking into the correct CHMOD to use and just slumped with 0777 - but this was only for personal use apps.

I've often had trouble with file upload/management apps where it won't upload to a directory because of permissions, and the only way I could find to solve it was to use a recursive function to CHMOD the directory and every file/dir in it to 0777, CHMOD'ing only the directory wouldn't work. One particular app I built I had to use this function everytime I uploaded a file to avoid permission errors.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

My strategy for giving access rights is simply:

- deny everything (to myself, group and others)
- grant only what's absolutely required (not absolutely true, since i give myself the rights to read-write all my files.. And i'm sure there are some files generated by the webserver that i want to read or write)

It can take a little while to figure out which users/groups need access.
But there is no need to repeat it every time, just write a simple script that remembers all your decisions.. And then modify the script according to eventual changes... Probably not very useful, since every configuration is quite different, but it can serve as an example: http://timvw.madoka.be/programming/bash/chmoder.txt.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I'm not sure I fully understand file permissions. I have set them to 755 and I can still read from the directories... I need to do some (real) reading.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Here is a cool little article on file permissions. I think default permissions are 755...

Code: Select all

Owner	Group	User
-----	-----	----
rwx		r-x		r-x
So this means that the owner of the file has Read (r=4), Write (w=2) and eXecute (x=1) permissions on the file, the group that the file is owned by has Read and eXecute permission and so do all the users that are not part of the group (which I believe is where site visitors go). I think the risk that folks bring up is in the last number being 7. That means that general population folks have write access to the file/directory in addition to read and execute permissions.

I am still trying wrap my mind around this concept, but I from what I have researched, 755 or lower is a more secure way of going and 777 is not as secure as you can be.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Everah wrote:I think default permissions are 755...
If you really want to know how the 'default permissions' are determined, you'll have to stfw/rtfm/... for 'umask'.
JacekN
Forum Newbie
Posts: 2
Joined: Sat Jun 03, 2006 3:53 pm

Post by JacekN »

I have a php script that creates a log file outside of public_html directory. The file is there but the owner and group are set to a number - not my id. In my script, I do a chmod 777 on the log file and it does set those parameters but I cannot delete the file using an FTP client.

I tried chown in the same script that creates a file but it doesn't have permissions to run.

Is there a way to set the owner of at the time of file/directory creation?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

JacekN wrote:I have a php script that creates a log file outside of public_html directory. The file is there but the owner and group are set to a number - not my id. In my script, I do a chmod 777 on the log file and it does set those parameters but I cannot delete the file using an FTP client.
The files are owned by the userid that executed the scripts (typically, your webserver user, usually nobody or www-data)
If i'm not mistaken you would need to give your useraccount 'write' rights to the directory that contains the 'files'...
Post Reply