My pleasure, Arno! On 5/22/07, Arno Kuhl <akuhl@xxxxxxxxxxxx> wrote:
-----Original Message----- From: Daniel Brown [mailto:parasane@xxxxxxxxx] Sent: 18 May 2007 10:27 To: Al Cc: php-general@xxxxxxxxxxxxx Subject: Re: Security Question, re directory permissions [long answer] On 5/18/07, Al <news@xxxxxxxxxxxxx> wrote: > > I'm on a shared Linux host and have been wondering about security and > directory "other" ["world"] permissions. > > The defaults are 755. The 'others' [world] can read them only. > > Is there a security hole if a dir on the doc root if a directory has > permissions 757? > > If there is a security problem, what is it? > > Thanks... > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > DISCLAIMER: Bare with me.... this is a bit of a long answer.... enjoy! I can't think of any good reason why you'd have 757 for your permissions, first of all. Secondly, yes, there are security holes in having world-writable directories on a shared system. Some scripts require that you have these permissions set, and this is primarily for uploading files. However, better care should be taken by the authors to work around the 777-required permissions. For example, if uploading an image on the web to a web-accessible directory, it could instead be done as follows: Set permissions on [directory] to 777. Run script createdir.php via the web: <? mkdir($dir_name); chmod($dir_name,0700); ?> Set permissions on [directory] back to the original permissions (probably 750 or 755). The above example does the following: 1.) Sets the directory to allow everyone to read, write, and execute. 2.) Apache creates a directory and sets permissions so that only it can read, write, and execute what's in there. 3.) Sets the directory back to the original (hopefully secure) permissions. That means that you won't be able to add, remove, or modify anything in that directory, of course, including the directory itself, unless you do so via the web. For example, you won't be able to use FTP to upload to that directory, nor can you delete anything from there via FTP or SSH (unless your host has REALLY screwed something up). Of course, if php_suexec is running, or if you set the SUID on the script, then the scripts will execute as the user they belong to, not as apache/nobody/daemon or whatever Apache is set to run as. This means that the above paragraph does not apply, and even via Apache, it would be as though you had manually placed the files there. This is the most-secure operation as far as that goes, but can lead to problems of privilege escalation if someone is able to create files under the UID of a different user on the system and have suexec run the files. And a basic refresher on Unix permissions as a whole (these NEVER apply to root, who can do anything, anytime, anywhere): Specialty User Group Everyone # # # # Everyone knows the basics of chmod: - 7 5 5 `chmod 755 script.php` -rwxr-xr-x script.php - Owner can read, write, and execute - Members of primary group can read and execute (can't write to file) - Everyone else can read and execute (can't write to file) Another example: `chmod 640 script.php` -rw-r----- script.php - Owner can read and write (can't execute file) - Members of primary group can read (can't write or execute file) - No one else (again, beside root) can read, write, or execute file Each bit is comprised of a math formula with values as follows: 4 - Read 2 - Write 1 - Execute 0 - No permissions (cannot be added to above numbers in permission bit, of course) So to get the number for the permission bit, simply add the above numbers together to get the sum. For example, if you want the owner of the file to be able read, write, and execute, the group to be able to read and execute, and the rest of the world to only be able to read, you'd do calculate the following: Owner (read, write, execute): 4 + 2 + 1 = 7 Group (read and execute): 4 + 1 = 5 Everyone (read only): 2 Your permissions as above would be 752 (`chmod 752 script.php`). Now, on to the 4-digit permission values you've probably seen elsewhere begin with what's called a 'specialty bit' which allows the owner (or root) to enforce one of the following: 4 - SUID (if executed, runs as owner, with owner permissions) 2 - GUID (if executed, runs as group, with group permissions) 1 - Sticky (if directory, only user can modify/rename/delete files within; if file, on only *nix systems, keep file in RAM upon delete) Using the same concept and convention as above with the math, you can create single or combination permissions on the specialty bit of the permissions. Some examples: 4755 - Owner can read/write/execute; group and everyone else can read/execute; when run, runs with owner permissions 2751 - Owner can read/write/execute; group can read/execute; everyone else can execute; runs with group permissions 6750 - Owner can read/write/execute; group can read/execute; nobody else has permission; runs user/group permissions. And the file permissions will look like so: `chmod 4755 script.php` --- -rwsr-xr-x script.php `chmod 2751 script.php` --- -rwxr-s--x script.php `chmod 6750 script.php` --- -rwsrws--- script.php So it's a bit longer than what you asked for, but sometimes it's good to go over the fundamentals again. Plus, I'm not positive, but PHP may require that you use 4-digit permissions as opposed to the common 3-digit permissions when using the chmod() function in your scripts. Just something to think about. Hope it helps someone. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 ----------------------------------------------- Thanks Daniel, I've been dealing with this recently and found your post very helpful. Cheers Arno
-- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107