Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Ok so yesterday I came across a good example of what I meant when I said that sometimes it's not as simple as looking at the numbers. Or so it seems. I have this webhost with a basic wordpress install. Wordpress has a folder wp-content in which it uploads images and files (from within the system). now even when I set that folder to 777 wordpress has not enough rights to write to that folder. How would you explain that?
matthijs wrote:Ok so yesterday I came across a good example of what I meant when I said that sometimes it's not as simple as looking at the numbers. Or so it seems. I have this webhost with a basic wordpress install. Wordpress has a folder wp-content in which it uploads images and files (from within the system). now even when I set that folder to 777 wordpress has not enough rights to write to that folder. How would you explain that?
If the permission level is 0777, the it is writable by anyone.
A) Script is broken
B) Server is seriously messed up (Apache/HTTPD,PHP,...)
C) The file permission is not set to 0777.
The case C is the most usual. When I made a website for Karate world champion Luca Valdesi, I noticed that whenever I chmoded a directory to 0777, it didn't chmod. I did not have sufficient priviledges to chmod. I thought they were 0777, but they weren't. This happened on a Windows hosting server.
Well it's a shared host, one I don't usually work with. But it's just another LAMP set up with a plesk control panel. With FTP I can change the permissions of the folder and it says it's 777.
But you are right that it can matter how the web host has set up the server. I have had scripts which at one time needed 777 to run, and after changes from the webhost could be changed to 775 or lower.
By the way, I always find it confusing when people talk about "is writable by anyone". Who is anyone?
matthijs wrote:Well it's a shared host, one I don't usually work with. But it's just another LAMP set up with a plesk control panel. With FTP I can change the permissions of the folder and it says it's 777.
But you are right that it can matter how the web host has set up the server. I have had scripts which at one time needed 777 to run, and after changes from the webhost could be changed to 775 or lower.
By the way, I always find it confusing when people talk about "is writable by anyone". Who is anyone?
It means anyone.
I assume you are using Windows now, think if you create a new account and name it matthijs, now if the administrator of your PC created a new file he owns the file, and he belongs to owners while matthijs user belongs to the "others" or "anyone" unless the administrator specifically places matthijs as the owner or puts him into the same usergroup.
You seldom need permissions for others. The wp-content should be fine with 0770 or even 0700, but you need to try it first.
Thanks for the answers. It's still not clear to me why it doesn't work as intended. Really, I understand how the permission system works with owner/group/others and then r/w/e, etc. But it just isn't working like that on different hosts. I can install a clean wordpress install on 5 different (shared) linux webhosts and you'll see that each one needs a different chmod to function.
And I understand that 777 means "anyone", but as long as there is no any other user on that (virtual) webhost/environment it shouldn't matter, isn't it?
Do you have any good resources I can check out? And then I mean something in between the too superficial "what is chmod" blog posts and the too hard to understand uber geek Unix stuff
Just today I had a permissions issue with another site, which is a good example of what I come across.
This site also runs wordpress and the wp-content folder needs 755 to be able to run the site at all. I'm not talking about being able to write (upload) to that folder. Even 777 is not enough for the wordpress script to do that.
I checked the phpinfo() and this webhost is having save mode = on
From the manual page Vladsun linked to, I can read:
When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory.
So it seems this is the issue. Apparently the script running (index maybe) wants to include/run other files in the wp-content folder (the templates and images are there) and therefore the folder wp-content has to have 755 otherwise it doesn't run.
So this is ironic then, that very liberal permissions are needed because the webhost put safemode to on.
Just today I had a permissions issue with another site, which is a good example of what I come across.
This site also runs wordpress and the wp-content folder needs 755 to be able to run the site at all. I'm not talking about being able to write (upload) to that folder. Even 777 is not enough for the wordpress script to do that.
I checked the phpinfo() and this webhost is having save mode = on
From the manual page Vladsun linked to, I can read:
When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory.
So it seems this is the issue. Apparently the script running (index maybe) wants to include/run other files in the wp-content folder (the templates and images are there) and therefore the folder wp-content has to have 755 otherwise it doesn't run.
So this is ironic then, that very liberal permissions are needed because the webhost put safemode to on.
If 0770 is enough and in most cases 0660 is enough for a folder that is used for storing files and reading (read + write). If even 0777 does not work like in your case, it is not, because the permission level is not working - permission levels are always the same - always. There is something else that prevents you from achieving what you want - e.g. safe mode which should be disabled btw. If you are writing a script check that the server configurations are okay. There are so many configurations that may break your application. For instance, many applications become vulnerable when I change the order of globals to something different like CPGS. I noticed this with MANY open source applications and is a terrible security design to assume the order of globals. Safe modes, disabled functions and classes, base_dir, etc everything matters.