> Date: Sunday, August 15, 2021 02:34:44 +0200 > From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> > > On Sat, Aug 14, 2021 at 11:20 PM Richard wrote: > >> a slight correction/clarification below ... >> >> >> > Date: Friday, August 13, 2021 22:49:31 +0200 >> > From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> >> > >> > but after the upload, when i try to view the files, i get an >> > Apache level "Access denied" message in the browser >> > ... >> > shows debug information that >> > lists the chown rene:www-data command on the files to fail, but >> > that's understandable because apache runs as www-data:www-data. >> > However, the chmod 770 command on the files does succeed, >> > ... >> > - after running my >> > https://github.com/nicerapp/nicerapp/blob/main/setPermissions.sh >> > script after the upload has fully completed, the >> > photoalbum/4.0.0/index.php display script works without the >> > access denied bug and correctly displays the sub-folder contents. >> > >> >> You need to show your work ... >> >> - show the apache error log errors - the browser message isn't >> very useful >> >> - show a (truncated) directory/file listing (from the shell) that >> includes the ownership/group settings and permissions >> >> &etc. >> >> >> Separately, while your script appears to set the "nicerapp" >> directory with the owner/group of rene:www-data and 750 >> permissions, at the bottom of that script, files under that are >> given 770 permissions. That means that the apache instance - which >> you indicate runs as "www-data" and is in the "www-data" group - >> has write permission to those directories and files. This is a >> security risk. >> Directories and files under the document root should *never* be >> writable by the process that is running the apache server. >> > > Richard, could you please explain *why* setting files under the > documentRoot to chmod 770 permissions is a security risk? > i'm only enabling this for the cache-combinated files for my CMS' > sitewide css and js files, > and the newsItems data directory, and the photoAlbum uploads > directories, stuff like that. > > i believe i need those files and directories writable by > apache+php7 to facilitate the day to day operations done by > end-users on the websites it serves up. > To be clear, the issue isn't just 770 permissions. It's the intersection of the owner/group on the resource, the user the server is running as and the groups it is in -- and permissions. If there is a hole in the server - either in the server proper or more likely user code - easily exploitable resources provide a hacker with a nice starting point. Please do not include my direct address on replies.
