need some help w/apache perms

krostitzer

Hi,

I have a CMS that I wrote, that I'm using on some clients' sites. I need some help understanding Apache permissions.

The CMS writes files to the file system, when it creates new pages, and it also provides a file upload tool. The only way that this works is to make the directories 777. But, I know this is a bad practice as my sites were recently hacked into by Russian hackers, and files were placed on the server in 777 directories. (nothing against anyone reading this from Russia :quiet: )

I have a shared hosting setup.

I have uploaded my CMS to other hosts (mediatemple) and the CMS works with perms at 755 which is much safer. The tech support was not so helpful at my other ISP and I'm trying to understand how 755 differs from 777 in this scenario, when a script on the server is trying to create a file.

Also, I have NO CLUE how someone from outside could possibly hack into a site with 777 perms, save through FTP, and I don't think that's how it was done. Does anyone have some insight to Apache security, can offer an explanation of how they could have gotten into the server w/o FTP.

So I guess that's 2 questions: How to code w/755 and why it would work on one server and not another, and how someone could write a file in a 777 directory w/o using FTP access.

Thanks for any help!

Krostitzer

--- EDIT ---

D'OH, it should, according to my ISP, be 775 and not 755 for the directory. Now the script can write to it!

Still would appreciate input about the other question!!!

bradgrafelman

I'm no expert, but I'll do my best:

When looking at the 3 digit permission code, you're basically looking at three different sets of permissions abc where a=owner of the file, b=any username in the same unix "group" as the owner of the file, and c=all other users.

Now you have to figure out what you want these three separate entities to be allowed to do. Here's your options (I'll explain the numbers in a bit): Read (+4), Write (+2), Execute (+1). Pick and choose out of the options, and add the corresponding numbers up. We of course want the owner to do everything, so we'll give him all three options, a.k.a. '7' (4+2+1). Let's say that any user in the same group is going to also want to write and execute data to the owner's files, so we'll give them the same options (7 again). For everyone else on the system, though, we definitely don't want them writing data to our files, so we'll give them read and execute (5). Now, put 'em together in order, resulting in 775.

A handy javascript calculator I've seen can be found here Now, as to why 775 might not work over 777 depends upon the sysadmin and how users were setup and who the httpd process is running as (usually the 'nobody' user, commonly user id #99 I think).

As to an attacker compromising files with the 777 permission (basically the free-for-all permission setting), here's my scenario for you: you say you're on a shared webhost (nothing unsurprising there - a lot of people are). Let's say I want to compromise your files because somehow (PHP error message, me executing 'ls' commands to list directories and figure out where on the filesystem your website is located, whatever) I happen to know the path to your files, so I purchase some space on the server. With safe_mode disabled (e.g. I'm not restricted to my webroot), I can use PHP to delete/overwrite/create files in your directories that have the 777 permission.

Far-fetched? Who knows. I'm not a well-experienced Russian hacker no matter how much I like my Vodka - I'm just illustrating how a 777 chmod can allow anyone on the system to do what they wish with your files.

krostitzer

Thanks for the instruction. I have since changed the permissions ... and have found tons of index.html's that were placed in various ares of the sites, sometimes deep down. also found a php script that functions as a sort of phpmyadmin....

What I've been looking for now, and thinking of writing myself, because I haven't found it yet, is a script that I can run on a cron that will spider through the entire site and write a file (maybe XML would be good here) with info on every file in every directory (last changed, filename, byte count, etc).

have the script run at intervals, like every hour. then whenever there is a discrepancy between a filesystem log file that has been designated as the "working copy", it emails me a notification message of the differences.

in this way i could monitor all activity/changes on a server. My ISP doesn't offer really good site monitoring software. Do you think this would work? Or even better, do you know of an open source PHP script that does this?