Read Write Execute Solutions?

Anon

Every few days/weeks here in the forums we get a slew of people with rwx problems for various file functions in php. People often tell them to change the permissions, and open it up 777. I've done it, I don't know better. I'm not a systems guy, but I'm trying to learn.

I know 777 is bad, a security risk, but when you're being hosted as opposed to controlling the server/box, what are the options to allow file functions to run and keep security.

I'd like to hear some solutions, ones that are within the boundaries of the average hosted php programmer. I'm tired of just hearing that chmod 777 or chgrp nobody.nobody (or chgrp apache.apache) is bad. Don't treat us like idiots, just ignorant.

Ron Phillips

Anon

If you're on a shared name-based virtual hosting system where everybody's Web server runs under the same UID, you can't avoid opening a security hole if you wish to have your Web server write to the filesystem.

You can, however, limit the exposure by placing the files in their own directory, and making that directory writeable by the Web server, while leaving the rest of your site locked down.

Keep in mind that under Unix, a directory is a special kind of file. If you grant w permissions to a directory, the grantee can unlink any files it contains, even though the files themselves may not be writable by that account.

If your shared host provides you with a private MySQL account, storing your data there would be much more secure.
If you're on IP-based virtual hosting, it's possible that your hosting company has configured your server to run with its own UID/GID. You may be able to grant write-access to your server without opening it up to any random.idiot who also might have an account on the same box.

[deleted]

Ok, here it goes, in no-offence-I-assume-you-are-all-dorks-mode 🙂

777 is bad because it offers Read Write and eXecute rights to anyone on the box. (1=execute, 2=Write, 4=read, 1+2+4=7 for the users in the same group, and 7 for everyone else)

What you'd want is 600, which is read/write for you and you alone. (don't need X on PHP files, and every right you don't need is a right too many)

Unfortunately the webserver itself runs as a user (and that user is not you), so 600 would mean that the webserver can't read your files.
If the webserver user is in the same group as you, you could use 640; RW for you, R for the webserver. If the webserver user is not in your group, you'd need 604; RW for you, nothing extra for users in your group, Rfor everyone.

But, on a shared host there is usally one webserver for all clients, so the webserver is one user that is shared by all the clients.
That user needs R on all the PHP files.
That means it can read your PHP, but also also all the files of all other clients; your PHP script (which is executed by the webserver user) can read all the scripts of all other clients.

The only "safe" solution to this is to either run a seperate webserver for every client, or to put all the data that you don't want others to see into environment variables inside your webserver.
Unfortunately many hosts will not let you do either of the two. (because it's more work for them)

Writing has exactly the same problem, the webserver needs W permissions on the files you want to write to, which automatically gives W permissions on those files to the rest of the clients. It's just a matter of time untill a hacker finds out which of your files has W permission.

How can you safeguard against this?
You can't. Not without help from your ISP.
The best you can do is set 640 or 660 (or 604/606 depending on the IQ of your ISP) and hope people don't find your files/there are no hackers on the server.