Re: strange post photoalbum Apache/PHP error to view uploaded photos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Richard, could you please explain *why* setting files under the documentRoot to chmod 770 permissions is a security risk?
i'm only enabling this for the cache-combinated files for my CMS' sitewide css and js files,
and the newsItems data directory, and the photoAlbum uploads directories, stuff like that.

i believe i need those files and directories writable by apache+php7 to facilitate the day to day operations done by end-users on the websites it serves up..

On Sat, Aug 14, 2021 at 11:20 PM Richard <inbound-lists-php@xxxxxxxxxxxxxxxxxxxxx> wrote:
a slight correction/clarification below ...


> Date: Friday, August 13, 2021 22:49:31 +0200
> From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
>
> but after the upload, when i try to view the files, i get an Apache
> level "Access denied" message in the browser
>   ...
> shows debug information that
> lists the chown rene:www-data command on the files to fail, but
> that's understandable because apache runs as www-data:www-data.
> However, the chmod 770 command on the files does succeed,
>   ...
> - after running my
> https://github.com/nicerapp/nicerapp/blob/main/setPermissions.sh
> script after the upload has fully completed, the
> photoalbum/4.0.0/index.php display script works without the access
> denied bug and correctly displays the sub-folder contents.
>

You need to show your work ...

  - show the apache error log errors - the browser message isn't
    very useful

  - show a (truncated) directory/file listing (from the shell) that
    includes the ownership/group settings and permissions

  &etc.


Separately, while your script appears to set the "nicerapp" directory
with the owner/group of rene:www-data and 750 permissions, at the
bottom of that script, files under that are given 770 permissions.
That means that the apache instance - which you indicate runs as
"www-data" and is in the "www-data" group - has write permission
to those directories and files. This is a security risk.
Directories and files under the document root should *never* be
writable by the process that is running the apache server.
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux