777 issue

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

777 issue

Post by julian_lp »

I've the following folder structure:

Code: Select all

public_html
   |--->galleries
           |--->gallery
                     |--->images

I need to be able to write/delete files on gallery, from script running on galleries, and upload files (and delete them) to images, always from script on galleries.


In one of the shared servers I tested my script, it worked fine. All the folders have 755 permission

On the other hand, in another server I had to chmod 777 both gallery and images to not to get "is not within the allowed path" kinda errors.

(In both cases, all the folders were created through an FTP accnt, not by a php script)

Can anyone ellaborate about this issue, how should it be solved (if there is a way), and what are the risks of having 777 directories?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: 777 issue

Post by timvw »

julian_lp wrote: Can anyone ellaborate about this issue, how should it be solved (if there is a way), and what are the risks of having 777 directories?
What do you know about filepermissions on ext2? Which articles have you read so far?

Things to look up (the help of a sysadmin may be handy):
- the owners (and group) to which the directories belong (from / to / .... / images)
- under which user account (and group) are the scripts executed? Do they belong to any of the groups found in the list of directories above? Or are they in certain areas part of the 'others'.
- what are the default file creation settings in your ftpd configuration?
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Re: 777 issue

Post by julian_lp »

timvw wrote:
julian_lp wrote: Can anyone ellaborate about this issue, how should it be solved (if there is a way), and what are the risks of having 777 directories?
What do you know about filepermissions on ext2? Which articles have you read so far?

Things to look up (the help of a sysadmin may be handy):
- the owners (and group) to which the directories belong (from / to / .... / images)
- under which user account (and group) are the scripts executed? Do they belong to any of the groups found in the list of directories above? Or are they in certain areas part of the 'others'.
- what are the default file creation settings in your ftpd configuration?

Ohhh, I thought there will be a short aswer like "Hey! do that..."

I've been reading a lot of articles, but I just think I've not enough knowledge to follow them. Although there seems to be some kind of opposite opinions with regard to this topic, for instance, here:


http://www.simplemachines.org/community ... ic=2987.30

the guy is almost saying "come on, just chmod it 777 and dont worry about that"

When you say "owners, group", you're talking about Unix/Linux filesystem right? Or is it some kind of hidden php feature?

I thought that on every shared server, I would be able to write/delete to every folder (whose parent is my local_html ) I wanted. That seems not to be the case.

I've read this topic, although it seems to be dead with unanswered questions...

http://www.devnetwork.net/forums/viewto ... c&start=30


I'll countinue reading. Meanwhile, if anyone liked, feel free to ellaborete a little more please ;)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

the guy is almost saying "come on, just chmod it 777 and dont worry about that"
It'll work, but is bad security practice.
When you say "owners, group", you're talking about Unix/Linux filesystem right? Or is it some kind of hidden php feature?
Unix, not PHP or FTP.
I thought that on every shared server, I would be able to write/delete to every folder (whose parent is my local_html ) I wanted. That seems not to be the case.
Nope, and that's because of file permissions.

The 777 is three digits, each representing Owners, Group, World. Owner is (usually) you. Group is people in your group. World is any user on the server. 7 = 4 + 2 +1, where the 4 grants read access, the 2 grants write access, and the 1 grants execute access.

So, for example, if you write 755, the owner is allowed to read/write/execute the file, while group+world can only read or execute. 000 means no one is allowed to read/write/execute.

Only the owner of the file is allowed to chmod it.
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

Ambush Commander wrote:
I thought that on every shared server, I would be able to write/delete to every folder (whose parent is my local_html ) I wanted. That seems not to be the case.
Nope, and that's because of file permissions.

The 777 is three digits, each representing Owners, Group, World. Owner is (usually) you. Group is people in your group. World is any user on the server. 7 = 4 + 2 +1, where the 4 grants read access, the 2 grants write access, and the 1 grants execute access.

So, for example, if you write 755, the owner is allowed to read/write/execute the file, while group+world can only read or execute. 000 means no one is allowed to read/write/execute.

Only the owner of the file is allowed to chmod it.

So far so good, quite clear explanation. Now comes the obvious question:

How should I do in order to be the folder's owner? I mean, is there anything I can do?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It depends on what sense. Strictly speaking, you own the file when you can ssh in and then ls -l, and see that the owner column is set to you.

But the PHP script is run from the perspective of the webserver. So we ask: who is the webserver running under: your Unix user, or some generic webserver user? If it is running from your name (and it should be), then it should be able to chmod. If it's from a generic user, you're outta luck, and will have to chmod it 777.
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

Ambush Commander wrote:It depends on what sense. Strictly speaking, you own the file when you can ssh in and then ls -l, and see that the owner column is set to you.

But the PHP script is run from the perspective of the webserver. So we ask: who is the webserver running under: your Unix user, or some generic webserver user? If it is running from your name (and it should be), then it should be able to chmod. If it's from a generic user, you're outta luck, and will have to chmod it 777.

Firstly, many thanks for your fast response.

With regard to the webserver, I've only an username and password for a FTP account, and a public_html folder access, so I'll have no @#$"!$ idea what user Apache is running under. In short words, I'll have to chmod it to 777.
Anyway, it's a quite interesting topic which I'll try to gain good knowledge about.
User avatar
julian_lp
Forum Contributor
Posts: 121
Joined: Sun Jul 09, 2006 1:00 am
Location: la plata - argentina

Post by julian_lp »

I keept thinking on one thing, so I'll put it here:

On a Shared Server, could Apache (and php) be configured to run individually with every account? (that seems to be the right way)

I ask this cause I've a couple of sites whose folders are 755 and I'm perfectly able to write/delete on every folder I create down in the hierarchy. I'm wondering whether other apache/php users on the same server, are owners of my folders or not. I guess they would be owners if apache ran under one unique user :roll:
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I'm not really qualified to answer, as I don't run a shared hosting company, but yes, I'm fairly certain they can. Virtual hosts and stuff.

If that's not the case, they should have some other sort of protection in place to prevent other users from meddling with your files. But you never know... ;-)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

julian_lp wrote: So far so good, quite clear explanation. Now comes the obvious question:
How should I do in order to be the folder's owner? I mean, is there anything I can do?
Apart from the quick introduction, you still have to figure out what the effects of rwx on a directory are... What does it mean that you can 'execute' a directory? ..

Once you've done that, you'll have to write down your scheme... For each directory find out who owns it, who needs access... Once you know that you can derive the required rights. As long as you don't do that, you'll only be second guessing... and praying that it works...

In the apache2handler section of phpinfo input you find the user/group that is executing the script. (as i wrote before: simply ask your sysadmin or consult her FAQ).
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

I guess that's a drawback with (many) shared hosting plans. Mind you, I've always been on shared hosting because the difference in price ($2 vs $20+) is still a bit too large to go for dedicated.

One other very annoying problem I've had with some gallery scripts is not being able to edit or delete the folders/files which have been created by the script. It's like the script runs as a different user then the server/ftp user. So after the script has created files or folders I can't even access them with my ftp account or from the control panel on the server.

I think on many/some shared hosts the individual accounts are "protected" by setting the open_basedir directive, which limits the files that can be opened by PHP to a specific directory (i.e. your account on the shared host).
Post Reply