#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0

    File Permissions!!!



    i have set up a website i need to upload files to a directorya(and also want to create directory) from the frontend.
    what permissions should i give to this directory???

    File upload and crating a directory works if i set the root directory to (chmod 777) . is it safe to give all permissions to root directory??
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1017
    No, this is not secure.

    777 means unlimited access for every single user. Once an attacker has managed to bypass the application security (an upload script is perfect for that), they get full access to your document root. They can create their own scripts and execute them, they can manipulate existing scripts, they get all your database credentials, all application data and so on. Depending on the overall security of your system, this attack might be used to gain control over the whole server.

    So never ever do this.

    You always use the minimal privileges required for a task. If your webserver needs to upload files to a directory, you only grant write access to this particular user and this particular directory. That's 700 with the webserver being the owner of the directory.

    Since loosening the access restrictions always creates a security risk, you have to take additional steps to compensate for that:

    • Watch the file extensions. Use a whitelist to make sure people don't upload dangerous files.
    • Watch the file names. Replace the user-chosen name with your own randomly generated file name.
    • Make sure your webserver will never execute files in that directory, and make sure this configuration cannot be overwritten.
    • If possible, store the uploaded files outside of your document root and use an access script to serve them.

    Be aware that upload scripts are very critical, so make sure you get it right. If you're not sure, better ask.

    Comments on this post

    • sir_drinxalot agrees : Cannot agree more. 777 perms are the devil. Never use them. Ever.
    Last edited by Jacques1; December 31st, 2013 at 03:52 AM.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,367
    Rep Power
    630
    The permissions on the upload directory should be 750 (or maybe 770) since there is no reason for world access to that directory, since only the httpd process will write to it. The key is to set the owner to the user running httpd (usually apache) and the group (also apache by default) or perhaps to some special group to which you want to grant R/O (750) or R/W (770) access. It may be necessary to also set the sticky bit so the owner and group permissions stay consistent, regardless of who adds files to that directory.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  6. #4
  7. Known to taste like chicken
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    In front of my computer
    Posts
    399
    Rep Power
    315
    770 permissions still pose a theoretical security risk.

    Like Jaques1 said, you want the minimum you can get away with. The best bet for any multiple site setup would be to run php in a per-user setup via php-fpm or something like that, make all the site files and dirs owned by the php user for that specific site, 700 for dirs, 600 for files and 400 for any config files etc.

    That way you know that only your site can write to your site directory, and nothing can change the config files without you knowing about it.

    if you've got everything set to 770 then anything else in that group (including other websites on the server) can write to your site files.

    Comments on this post

    • gw1500se disagrees : We have to assume that the sys admin is not an idiot. The only risk, theoritical or real, is if the group membership is mis-managed by the sys admin.
    "Take thy beak from out my heart, and take thy form from off my door" - Homer J Simpson / Edgar Allan Poe

    Looking for a project Idea?
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1017
    Originally Posted by gw1500se
    We have to assume that the sys admin is not an idiot. The only risk, theoritical or real, is if the
    group membership is mis-managed by the sys admin.
    No. The point is that you never grant privileges unless you have to. Setting the permissions to 770 “just for fun” makes absolutely no sense. Why would you do that?

    Instead of relying on some sysadmin to take care of the risk (which may or may not work out), you don't create it in the first place.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. Known to taste like chicken
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    In front of my computer
    Posts
    399
    Rep Power
    315
    Originally Posted by gw1500se
    We have to assume that the sys admin is not an idiot. The only risk, theoritical or real, is if the
    group membership is mis-managed by the sys admin.
    No. Just, no.

    Assuming that the sys admin is not an idiot, and manages the group membership correctly, there are still so many ways that the 770 permissions can be a potential security risk.

    NEVER give anything more permissions than it needs, then there are less attack vectors, thus less problems.

    Comments on this post

    • gw1500se disagrees : You obviously did not read what I originally posted. I guess you didn't see the word 'perhaps'. That means it may NEED such persmissions.
    "Take thy beak from out my heart, and take thy form from off my door" - Homer J Simpson / Edgar Allan Poe

    Looking for a project Idea?
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0

    error


    i hv a image directory in which i want to upload image ..... as u said i gave 770 permission to image directory, and (i am running apache locally ) i am a normal user in ubuntu and i hv root password. and when i try to upload Image from this account , i mage does not uploads , it gives following error:

    PHP Warning: move_uploaded_file(../images/1388666805399033353.jpg): failed to open stream: Permission denied

    PHP Warning: move_uploaded_file(): Unable to move '/tmp/phpKb7JlO' to '../images/1388666805399033353.jpg'


    anf if i give 777 permission uploading works.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1017
    Your webserver obviously isn't the owner of the directory. You need to make www-data (or whatever it's called) the owner of the images directory.

    Also, please, please remove the 770. Unless you really know what you're doing, you want 700. We've discussed this above.

    Comments on this post

    • sunny1234567890 agrees : Tnx
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. Known to taste like chicken
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    In front of my computer
    Posts
    399
    Rep Power
    315
    Originally Posted by gw1500se
    You obviously did not read what I originally posted. I guess you didn't see the word 'perhaps'. That
    means it may NEED such persmissions.
    No I read it, i just don't fully agree with it. The only times I've ever needed to use 770 or 750 permissions is when I've been working on servers which I did not originally configure and which are poorly configured. If everything is configured properly you should be able to use 700 for dirs.

    Originally Posted by gw1500se
    there is no reason for world access to that directory
    I fully agree with that though.

    Originally Posted by gw1500se
    It may be necessary to also set the sticky bit so the owner and group permissions stay consistent, regardless of who adds files to that directory.
    I dont think thats quite how sticky bit works. What sticky bit will do when set on a dir is only allow the file owner, dir owned and root to rename or delete the files within. Properly configured apache / php-fpm / suphp / whatever should take care of the ownership issues anyway. Generally you only see sticky bit used on things like /tmp where it is legitimate that multiple user accounts would have files in the same directory.
    "Take thy beak from out my heart, and take thy form from off my door" - Homer J Simpson / Edgar Allan Poe

    Looking for a project Idea?

IMN logo majestic logo threadwatch logo seochat tools logo