PHP application permissions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
georgeoc
Forum Contributor
Posts: 166
Joined: Wed Aug 09, 2006 4:21 pm
Location: London, UK

PHP application permissions

Post by georgeoc »

Hi all,

I have a fairly straightforward question about the permissions I should use on the files in my PHP application. I expect this has been answered at length elsewhere on this forum and on the net, but I'd love some intelligent advice from the devnet community to avoid any security issues.

My requirements are very simple - I am working on a PHP app with a few hundred files, which will eventually be distributed as an Open Source package. Apart from a single directory, which the webserver should have write permissions for in order to write a configuration .ini file, all the files in the app need only be readable by the webserver. However, while I develop the app, I naturally need read and write permissions for all the files so I can edit them.

(N.B. I'm using Mac OS X, so assume UNIX filesystem and commands).

My confusion comes in when setting the user and group of the files. My webserver runs under user www, and I am user george on my system. So what user and group should I set the files to for development?

When I am ready to distribute the app, do I need to change user, group and/or permissions at all? And what happens when a user uploads the app to a webserver using FTP - do things get screwed up? I'm sure I could find all the answers myself by doing tests, but I'd really like to follow best practice as this is an important project.


For permissions, I guess I should use the following:

640 for files (user read and write, group read)
750 for dirs (add execute bit for both user and group)
770 for my config directory

Is this the most secure for my needs? I get in a muddle because I don't know whether I should have the files as owned by george but accessible by www by adding www to group george, or the other way round - owned by www but accessible by george.

Please help!!!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Aren't file permissions determined when the files are uploaded to the users system?
georgeoc
Forum Contributor
Posts: 166
Joined: Wed Aug 09, 2006 4:21 pm
Location: London, UK

Post by georgeoc »

I don't know the answer to that. Do you mean when they upload with FTP? In my client I can specify a umask for uploading, or I can retain the current permissions of the files. Anyway, what I want to know is what permissions I should give the files before I distribute them. Perhaps I should instruct the user to give confirm they are correct as part of the installation procedure?).

What would you experts do? Imagine it's a new CMS or something (it isn't, but it has similarities).
georgeoc
Forum Contributor
Posts: 166
Joined: Wed Aug 09, 2006 4:21 pm
Location: London, UK

Post by georgeoc »

Well, no further answers, so I've worked on my own. I have changed the owner of the files to www, and the group to admin. I have set permissions of 460 for all files (www can read only, I can read and write) and 570 for all directories (www can read and execute, I can do everything), with the exception of the config directory which is 770 (www can write to this dir only).

How does that look? The PHP app runs as normal, and I can edit the files without an admin password, so I'm happy. I'd still like some more info on what will happen when I distribute the package and a user uploads it via FTP: should I advise them to reset the permissions like this, or will they stay intact? I'm just after a secure, best-practice solution that you would use for an Open-Source app.

Thanks again!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I don't think they will stay intact. I believe that whatever the permissions are on the folder that they are uploaded will be assigned to the files and that the user would have to manually chmod the folder/files to change the permissions.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Here's my opinion:

The user uploads the files (so they belong to him). Since they belong to him i would expect the files to exist somewhere in /home/user (and not in /var/www).

Since the user wants to give a specified group of users access i would suggest that he chowns the files to user:group and makes sure the group gets the needed values.

Since others don't have affairs with the website, they aren't granted any rights.

Maintaining permissions is an annoying task.. So i would recommend that you take once the time to think about permissions, wrap it up in a script and then modify the script as requirements change... (This way you don't have to rethink about the whole structure anymore)

eg:

[syntax lang="bash"]
#!/bin/bash
BASEDIR= /home/timvw
WEBDIR=$BASEDIR/web

# give user all rights (and remove rights from others)
chmod 700 $BASEDIR
find $BASEDIR -type d -exec chmod 700 {} \;
find $BASEDIR -type f -exec chmod 600 {} \;

# allow user to run scripts in bin
find $BASEDIR/bin -type f -exec chmod u+x {} \;

# gradually add rights so www-data can access webfiles
chmod g+x $BASEDIR
chmod g+x $WEBDIR
chmod o+x $WEBDIR/private
chmod o+r $WEBDIR/private/.htpasswd
chmod o+r $WEBDIR/private/timvwblog.php
chmod o+rx $WEBDIR/www.timvw.be
find $WEBDIR/www.timvw.be -type f -exec chmod o+r {} \;
find $WEBDIR/www.timvw.be -type d -exec chmod o+x {} \;

chmod u+x $WEBDIR/www.timvw.be/cgi-bin/awstats/awstats.pl
[/syntax]
georgeoc
Forum Contributor
Posts: 166
Joined: Wed Aug 09, 2006 4:21 pm
Location: London, UK

Post by georgeoc »

Thanks for that - I like the idea of writing a simple bash script like that. I can certainly see the use, and will get to work on it now.
Post Reply