Page 1 of 1
File permissions changed by PHP
Posted: Mon Jan 21, 2008 11:25 am
by alex.barylski
I need to edit a file stored in document root. Shared host, no access to outside root and PHP is being run as Apache module.
In order to modify the file it needs to have 777 as its permissions.
I'm thinking by default I could make the file 775 and inside my PHP script I could breifly CHMOD the file to 777, write my changes and CHMOD back to 775 - with file locking of course.
Can anyone see any problems with this solution? I know there are better ways of solving the issue (storing in a database or outside of docroot) but my circumstances don't allow it. The file *must* reside in docroot alongside the index.php script and PHP cannot be switched to run as suexec - it's an Apache module...
Comments?
Re: File permissions changed by PHP
Posted: Mon Jan 21, 2008 11:33 am
by VladSun
Who's the owner of this file?
Re: File permissions changed by PHP
Posted: Mon Jan 21, 2008 12:28 pm
by alex.barylski
Ugh...good point...
I'd have to set the owner to 'www-data' or whatever Apache is, if PHP were to change it's permissions...
Doh! Maybe I'll just install it, get it working and turn the other cheek...
I guess one option is to find all include's to this config file inside the source tree and change the path to somewhere outside of docroot...bah...bugger...
I'm wondering if I could use mod_rewrite to prevent 'world' access to the file and that way keep the permissions at 777. Of course this does little for anyone else on the same shared sever who wants to update the file maliciously...but it's better than nothing...
Re: File permissions changed by PHP
Posted: Tue Jan 22, 2008 12:33 am
by alex.barylski
So is there anyway to secure files within the document root? Is using .htaccess to prevent access acceptable? Obviously this will prevent access but I'm more conerned about hackers writing to my files and overriding system settings, etc...
- Must be within doc root
- Cannot use suexec
Typical PHP setup with .htaccess...is it possible to make 'safe' with those constraints?
Re: File permissions changed by PHP
Posted: Tue Jan 22, 2008 2:01 am
by VladSun
Code: Select all
<Files yourfilename>
Deny from All
</Files>
You can still access it from your PHP scripts.
Hackers need to have access to the system in order to write to 0777 files. "world-writable" means the "world" of the system - i.e. its local users.
Re: File permissions changed by PHP
Posted: Tue Jan 22, 2008 12:39 pm
by alex.barylski
VladSun wrote:Code: Select all
<Files yourfilename>
Deny from All
</Files>
You can still access it from your PHP scripts.
Hackers need to have access to the system in order to write to 0777 files. "world-writable" means the "world" of the system - i.e. its local users.
Thats what I thought too...However I did some reading a while back and discovered the DELETE command in the HTTP protocol?!?
Apache runs (usually) as user
nobody which to my understanding means that it's basically capable (as are it's modules, php, perl, etc) of working on files with XX7 or world permissions. So if your server happens to be running HTTP which implements DELETE and the file/folder marked as world writable - you could in theory send a DELETE request to Apache and it should remove that resource...
Basically, I understand HTTP daemons as giving the average anonymous Internet user 'world' access to your server, or at least everything inside docroot...therefore files with 777 could be removed...
Unless I misunderstand how that DELETE command works?
Cheers

Re: File permissions changed by PHP
Posted: Tue Jan 22, 2008 12:48 pm
by VladSun
You have to be more aware of the HTTP PUT method
http://vanrees.org/research/phd/various ... postdelete
There is a special Apache module for these HTTP methods:
http://perso.ec-lyon.fr/lyonel.vincent/ ... d_put.html
So I don't think it's in the default Apache installation.
Re: File permissions changed by PHP
Posted: Wed Jan 23, 2008 12:37 pm
by alex.barylski
VladSun wrote:So I don't think it's in the default Apache installation.
I'm more paranoid than that.
PUT, DELETE, it doesn't matter the fact is, if they exist and your systsm isn't secure...I believe your susceptible to hacks...
But my question still remains...using .htaccess is there a way to protect a directory from having these commands executed successfully?!?
Logically it makes sense that .htaccess is processed before any file is ever requested/processed/devliered so any restrictions set forth on a directory or file(s) should be respected by the server and file permissions should not be of importance to the outside world?
Re: File permissions changed by PHP
Posted: Wed Jan 23, 2008 12:50 pm
by VladSun
VladSun wrote:So I don't think it's in the default Apache installation.
Should be read as:
VladSun wrote:So I am sure it's not in the default Apache installation or any Apache installation that does not include 3rd party modules.
Also there are other methods that are included in the default Apache installation, which are reported to be vulnerable to some exploits and XSS
