Re: Security Question, re directory permissions [long answer]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



   My pleasure, Arno!

On 5/22/07, Arno Kuhl <akuhl@xxxxxxxxxxxx> wrote:

-----Original Message-----
From: Daniel Brown [mailto:parasane@xxxxxxxxx]
Sent: 18 May 2007 10:27
To: Al
Cc: php-general@xxxxxxxxxxxxx
Subject: Re:  Security Question, re directory permissions [long
answer]


On 5/18/07, Al <news@xxxxxxxxxxxxx> wrote:
>
> I'm on a shared Linux host and have been wondering about security and
> directory "other" ["world"] permissions.
>
> The defaults are 755. The 'others' [world] can read them only.
>
> Is there a security hole if a dir on the doc root if a directory has
> permissions 757?
>
> If there is a security problem, what is it?
>
> Thanks...
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


    DISCLAIMER: Bare with me.... this is a bit of a long answer.... enjoy!

    I can't think of any good reason why you'd have 757 for your
permissions, first of all.

    Secondly, yes, there are security holes in having world-writable
directories on a shared system.  Some scripts require that you have these
permissions set, and this is primarily for uploading files.  However,
better
care should be taken by the authors to work around the 777-required
permissions.  For example, if uploading an image on the web to a
web-accessible directory, it could instead be done as follows:

        Set permissions on [directory] to 777.
        Run script createdir.php via the web:
                <?
                     mkdir($dir_name);
                     chmod($dir_name,0700);
                ?>
        Set permissions on [directory] back to the original permissions
(probably 750 or 755).

    The above example does the following:
        1.) Sets the directory to allow everyone to read, write, and
execute.
        2.) Apache creates a directory and sets permissions so that only
it
can read, write, and execute what's in there.
        3.) Sets the directory back to the original (hopefully secure)
permissions.

    That means that you won't be able to add, remove, or modify anything
in
that directory, of course, including the directory itself, unless you do
so
via the web.  For example, you won't be able to use FTP to upload to that
directory, nor can you delete anything from there via FTP or SSH (unless
your host has REALLY screwed something up).

    Of course, if php_suexec is running, or if you set the SUID on the
script, then the scripts will execute as the user they belong to, not as
apache/nobody/daemon or whatever Apache is set to run as.  This means that
the above paragraph does not apply, and even via Apache, it would be as
though you had manually placed the files there.  This is the most-secure
operation as far as that goes, but can lead to problems of privilege
escalation if someone is able to create files under the UID of a different
user on the system and have suexec run the files.

    And a basic refresher on Unix permissions as a whole (these NEVER
apply
to root, who can do anything, anytime, anywhere):
        Specialty        User        Group        Everyone
              #                 #               #                  #

    Everyone knows the basics of chmod:
              -                  7                5                 5
             `chmod 755 script.php`
             -rwxr-xr-x  script.php
                      - Owner can read, write, and execute
                      - Members of primary group can read and execute
(can't
write to file)
                      - Everyone else can read and execute (can't write to
file)

    Another example:
              `chmod 640 script.php`
              -rw-r----- script.php
                       - Owner can read and write (can't execute file)
                       - Members of primary group can read (can't write or
execute file)
                       - No one else (again, beside root) can read, write,
or execute file

    Each bit is comprised of a math formula with values as follows:
        4 - Read
        2 - Write
        1 - Execute
        0 - No permissions (cannot be added to above numbers in permission
bit, of course)

    So to get the number for the permission bit, simply add the above
numbers together to get the sum.  For example, if you want the owner of
the
file to be able read, write, and execute, the group to be able to read and
execute, and the rest of the world to only be able to read, you'd do
calculate the following:
        Owner (read, write, execute):  4 + 2 + 1 = 7
        Group (read and execute): 4 + 1 = 5
        Everyone (read only): 2

    Your permissions as above would be 752 (`chmod 752 script.php`).

    Now, on to the 4-digit permission values you've probably seen
elsewhere
begin with what's called a 'specialty bit' which allows the owner (or
root)
to enforce one of the following:
    4 - SUID (if executed, runs as owner, with owner permissions)
    2 - GUID (if executed, runs as group, with group permissions)
    1 - Sticky (if directory, only user can modify/rename/delete files
within; if file, on only *nix systems, keep file in RAM upon delete)

    Using the same concept and convention as above with the math, you can
create single or combination permissions on the specialty bit of the
permissions.  Some examples:
        4755 - Owner can read/write/execute; group and everyone else can
read/execute; when run, runs with owner permissions
        2751 - Owner can read/write/execute; group can read/execute;
everyone else can execute; runs with group permissions
        6750 - Owner can read/write/execute; group can read/execute;
nobody
else has permission; runs user/group permissions.

    And the file permissions will look like so:
        `chmod 4755 script.php`    ---    -rwsr-xr-x script.php
        `chmod 2751 script.php`    ---    -rwxr-s--x script.php
        `chmod 6750 script.php`    ---    -rwsrws--- script.php

    So it's a bit longer than what you asked for, but sometimes it's good
to
go over the fundamentals again.  Plus, I'm not positive, but PHP may
require
that you use 4-digit permissions as opposed to the common 3-digit
permissions when using the chmod() function in your scripts.  Just
something
to think about.

    Hope it helps someone.

--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107

-----------------------------------------------


Thanks Daniel, I've been dealing with this recently and found your post
very
helpful.

Cheers
Arno




--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux