Unable to open a file for writing / permission for a folder

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Unable to open a file for writing / permission for a folder

Post by VladSun »

I've posted this answer (by examples) some time ago:

Code: Select all

vladsun@designer:~$ mkdir dir
vladsun@designer:~$ touch dir/file
vladsun@designer:~$ ls -lR
.:
total 8
-rwx------ 1 root    root     678 2008-09-13 21:40 db_check
drwxr-xr-x 2 vladsun vladsun 4096 2008-11-06 16:10 dir
 
./dir:
total 0
-rw-r--r-- 1 vladsun vladsun 0 2008-11-06 16:10 file
vladsun@designer:~$ chmod 000 dir
vladsun@designer:~$ cd dir/
bash: cd: dir/: Permission denied
vladsun@designer:~$ chmod 100 dir
vladsun@designer:~$ cd dir/
vladsun@designer:~/dir$ cd ..
vladsun@designer:~$ ls dir/
ls: dir/: Permission denied
vladsun@designer:~$ chmod 500 dir
vladsun@designer:~$ ls dir/
file
vladsun@designer:~$ touch dir/file2
touch: cannot touch `dir/file2': Permission denied
vladsun@designer:~$ chmod 700 dir
vladsun@designer:~$ touch dir/file2
vladsun@designer:~$ ls dir/
file  file2
vladsun@designer:~$
You can see how read/write/execute flags take action on directories.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

VladSun wrote:I've posted this answer (by examples) some time ago:

Code: Select all

vladsun@designer:~$ mkdir dir
vladsun@designer:~$ touch dir/file
vladsun@designer:~$ ls -lR
.:
total 8
-rwx------ 1 root    root     678 2008-09-13 21:40 db_check
drwxr-xr-x 2 vladsun vladsun 4096 2008-11-06 16:10 dir
 
./dir:
total 0
-rw-r--r-- 1 vladsun vladsun 0 2008-11-06 16:10 file
vladsun@designer:~$ chmod 000 dir
vladsun@designer:~$ cd dir/
bash: cd: dir/: Permission denied
vladsun@designer:~$ chmod 100 dir
vladsun@designer:~$ cd dir/
vladsun@designer:~/dir$ cd ..
vladsun@designer:~$ ls dir/
ls: dir/: Permission denied
vladsun@designer:~$ chmod 500 dir
vladsun@designer:~$ ls dir/
file
vladsun@designer:~$ touch dir/file2
touch: cannot touch `dir/file2': Permission denied
vladsun@designer:~$ chmod 700 dir
vladsun@designer:~$ touch dir/file2
vladsun@designer:~$ ls dir/
file  file2
vladsun@designer:~$
You can see how read/write/execute flags take action on directories.
That's a nice summary! :)

Like it shows, you need executive permissions to "execute" (open) the folder. To list files you need to be able to read it.

Offtopic: what distros do you use, VladSun?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Unable to open a file for writing / permission for a folder

Post by VladSun »

Mainly Slackware and sometimes Debian :)
There are 10 types of people in this world, those who understand binary and those who don't
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Unable to open a file for writing / permission for a folder

Post by matthijs »

Ok so yesterday I came across a good example of what I meant when I said that sometimes it's not as simple as looking at the numbers. Or so it seems. I have this webhost with a basic wordpress install. Wordpress has a folder wp-content in which it uploads images and files (from within the system). now even when I set that folder to 777 wordpress has not enough rights to write to that folder. How would you explain that?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

matthijs wrote:Ok so yesterday I came across a good example of what I meant when I said that sometimes it's not as simple as looking at the numbers. Or so it seems. I have this webhost with a basic wordpress install. Wordpress has a folder wp-content in which it uploads images and files (from within the system). now even when I set that folder to 777 wordpress has not enough rights to write to that folder. How would you explain that?
If the permission level is 0777, the it is writable by anyone.

A) Script is broken
B) Server is seriously messed up (Apache/HTTPD,PHP,...)
C) The file permission is not set to 0777.

The case C is the most usual. When I made a website for Karate world champion Luca Valdesi, I noticed that whenever I chmoded a directory to 0777, it didn't chmod. I did not have sufficient priviledges to chmod. I thought they were 0777, but they weren't. This happened on a Windows hosting server.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Unable to open a file for writing / permission for a folder

Post by matthijs »

Well it's a shared host, one I don't usually work with. But it's just another LAMP set up with a plesk control panel. With FTP I can change the permissions of the folder and it says it's 777.

But you are right that it can matter how the web host has set up the server. I have had scripts which at one time needed 777 to run, and after changes from the webhost could be changed to 775 or lower.

By the way, I always find it confusing when people talk about "is writable by anyone". Who is anyone?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Unable to open a file for writing / permission for a folder

Post by VladSun »

matthijs wrote:By the way, I always find it confusing when people talk about "is writable by anyone". Who is anyone?
In general - all existing users (i.e. having an entry in /etc/passwd file).


Maybe you have a security violence issue - http://www.php.net/manual/en/ini.sect.safe-mode.php
Last edited by VladSun on Wed Jan 21, 2009 1:50 pm, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

matthijs wrote:Well it's a shared host, one I don't usually work with. But it's just another LAMP set up with a plesk control panel. With FTP I can change the permissions of the folder and it says it's 777.

But you are right that it can matter how the web host has set up the server. I have had scripts which at one time needed 777 to run, and after changes from the webhost could be changed to 775 or lower.

By the way, I always find it confusing when people talk about "is writable by anyone". Who is anyone?
It means anyone.

I assume you are using Windows now, think if you create a new account and name it matthijs, now if the administrator of your PC created a new file he owns the file, and he belongs to owners while matthijs user belongs to the "others" or "anyone" unless the administrator specifically places matthijs as the owner or puts him into the same usergroup.

You seldom need permissions for others. The wp-content should be fine with 0770 or even 0700, but you need to try it first.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Unable to open a file for writing / permission for a folder

Post by matthijs »

Thanks for the answers. It's still not clear to me why it doesn't work as intended. Really, I understand how the permission system works with owner/group/others and then r/w/e, etc. But it just isn't working like that on different hosts. I can install a clean wordpress install on 5 different (shared) linux webhosts and you'll see that each one needs a different chmod to function.

And I understand that 777 means "anyone", but as long as there is no any other user on that (virtual) webhost/environment it shouldn't matter, isn't it?

Do you have any good resources I can check out? And then I mean something in between the too superficial "what is chmod" blog posts and the too hard to understand uber geek Unix stuff :)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Unable to open a file for writing / permission for a folder

Post by matthijs »

VladSun wrote: Maybe you have a security violence issue - http://www.php.net/manual/en/ini.sect.safe-mode.php
Just today I had a permissions issue with another site, which is a good example of what I come across.

This site also runs wordpress and the wp-content folder needs 755 to be able to run the site at all. I'm not talking about being able to write (upload) to that folder. Even 777 is not enough for the wordpress script to do that.

I checked the phpinfo() and this webhost is having save mode = on

From the manual page Vladsun linked to, I can read:
When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory.
So it seems this is the issue. Apparently the script running (index maybe) wants to include/run other files in the wp-content folder (the templates and images are there) and therefore the folder wp-content has to have 755 otherwise it doesn't run.

So this is ironic then, that very liberal permissions are needed because the webhost put safemode to on.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unable to open a file for writing / permission for a folder

Post by kaisellgren »

matthijs wrote:
VladSun wrote: Maybe you have a security violence issue - http://www.php.net/manual/en/ini.sect.safe-mode.php
Just today I had a permissions issue with another site, which is a good example of what I come across.

This site also runs wordpress and the wp-content folder needs 755 to be able to run the site at all. I'm not talking about being able to write (upload) to that folder. Even 777 is not enough for the wordpress script to do that.

I checked the phpinfo() and this webhost is having save mode = on

From the manual page Vladsun linked to, I can read:
When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory.
So it seems this is the issue. Apparently the script running (index maybe) wants to include/run other files in the wp-content folder (the templates and images are there) and therefore the folder wp-content has to have 755 otherwise it doesn't run.

So this is ironic then, that very liberal permissions are needed because the webhost put safemode to on.
If 0770 is enough and in most cases 0660 is enough for a folder that is used for storing files and reading (read + write). If even 0777 does not work like in your case, it is not, because the permission level is not working - permission levels are always the same - always. There is something else that prevents you from achieving what you want - e.g. safe mode which should be disabled btw. If you are writing a script check that the server configurations are okay. There are so many configurations that may break your application. For instance, many applications become vulnerable when I change the order of globals to something different like CPGS. I noticed this with MANY open source applications and is a terrible security design to assume the order of globals. Safe modes, disabled functions and classes, base_dir, etc everything matters.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Unable to open a file for writing / permission for a folder

Post by matthijs »

Exactly. I'm not saying permission levels are not working. I'm saying there are other factors influencing how/if they have effect.

And in this case, as is the case with most shared webhosts, I cannot change anything about the server configuration.

Someone should write a very long and detailed article about stuff like this. About which server setting to set how and when, what to watch out for etc ;)
Post Reply