File permissions changed by PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

File permissions changed by PHP

Post by alex.barylski »

I need to edit a file stored in document root. Shared host, no access to outside root and PHP is being run as Apache module.

In order to modify the file it needs to have 777 as its permissions.

I'm thinking by default I could make the file 775 and inside my PHP script I could breifly CHMOD the file to 777, write my changes and CHMOD back to 775 - with file locking of course. :P

Can anyone see any problems with this solution? I know there are better ways of solving the issue (storing in a database or outside of docroot) but my circumstances don't allow it. The file *must* reside in docroot alongside the index.php script and PHP cannot be switched to run as suexec - it's an Apache module...

Comments?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: File permissions changed by PHP

Post by VladSun »

Who's the owner of this file?
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: File permissions changed by PHP

Post by alex.barylski »

Ugh...good point... :P

I'd have to set the owner to 'www-data' or whatever Apache is, if PHP were to change it's permissions...

Doh! Maybe I'll just install it, get it working and turn the other cheek... :banghead:

I guess one option is to find all include's to this config file inside the source tree and change the path to somewhere outside of docroot...bah...bugger...

I'm wondering if I could use mod_rewrite to prevent 'world' access to the file and that way keep the permissions at 777. Of course this does little for anyone else on the same shared sever who wants to update the file maliciously...but it's better than nothing...
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: File permissions changed by PHP

Post by alex.barylski »

So is there anyway to secure files within the document root? Is using .htaccess to prevent access acceptable? Obviously this will prevent access but I'm more conerned about hackers writing to my files and overriding system settings, etc...

- Must be within doc root
- Cannot use suexec

Typical PHP setup with .htaccess...is it possible to make 'safe' with those constraints?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: File permissions changed by PHP

Post by VladSun »

Code: Select all

<Files yourfilename>
Deny from All
</Files>
 
You can still access it from your PHP scripts.

Hackers need to have access to the system in order to write to 0777 files. "world-writable" means the "world" of the system - i.e. its local users.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: File permissions changed by PHP

Post by alex.barylski »

VladSun wrote:

Code: Select all

<Files yourfilename>
Deny from All
</Files>
 
You can still access it from your PHP scripts.

Hackers need to have access to the system in order to write to 0777 files. "world-writable" means the "world" of the system - i.e. its local users.
Thats what I thought too...However I did some reading a while back and discovered the DELETE command in the HTTP protocol?!? :|

Apache runs (usually) as user nobody which to my understanding means that it's basically capable (as are it's modules, php, perl, etc) of working on files with XX7 or world permissions. So if your server happens to be running HTTP which implements DELETE and the file/folder marked as world writable - you could in theory send a DELETE request to Apache and it should remove that resource...

Basically, I understand HTTP daemons as giving the average anonymous Internet user 'world' access to your server, or at least everything inside docroot...therefore files with 777 could be removed...

Unless I misunderstand how that DELETE command works?

Cheers :)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: File permissions changed by PHP

Post by VladSun »

You have to be more aware of the HTTP PUT method ;)
http://vanrees.org/research/phd/various ... postdelete
There is a special Apache module for these HTTP methods:
http://perso.ec-lyon.fr/lyonel.vincent/ ... d_put.html

So I don't think it's in the default Apache installation.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: File permissions changed by PHP

Post by alex.barylski »

VladSun wrote:So I don't think it's in the default Apache installation.
I'm more paranoid than that. ;)

PUT, DELETE, it doesn't matter the fact is, if they exist and your systsm isn't secure...I believe your susceptible to hacks...

But my question still remains...using .htaccess is there a way to protect a directory from having these commands executed successfully?!?

Logically it makes sense that .htaccess is processed before any file is ever requested/processed/devliered so any restrictions set forth on a directory or file(s) should be respected by the server and file permissions should not be of importance to the outside world?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: File permissions changed by PHP

Post by VladSun »

VladSun wrote:So I don't think it's in the default Apache installation.
Should be read as:
VladSun wrote:So I am sure it's not in the default Apache installation or any Apache installation that does not include 3rd party modules.
:D :D

Also there are other methods that are included in the default Apache installation, which are reported to be vulnerable to some exploits and XSS ;)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply