Re: strange post photoalbum Apache/PHP error to view uploaded photos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ok, how would you solve this, if i may ask?

On Sun, Aug 15, 2021 at 3:31 AM Richard <inbound-lists-php@xxxxxxxxxxxxxxxxxxxxx> wrote:


> Date: Sunday, August 15, 2021 02:34:44 +0200
> From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
>
> On Sat, Aug 14, 2021 at 11:20 PM Richard wrote:
>
>> a slight correction/clarification below ...
>>
>>
>> > Date: Friday, August 13, 2021 22:49:31 +0200
>> > From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
>> >
>> > but after the upload, when i try to view the files, i get an
>> > Apache level "Access denied" message in the browser
>> >   ...
>> > shows debug information that
>> > lists the chown rene:www-data command on the files to fail, but
>> > that's understandable because apache runs as www-data:www-data.
>> > However, the chmod 770 command on the files does succeed,
>> >   ...
>> > - after running my
>> > https://github.com/nicerapp/nicerapp/blob/main/setPermissions.sh
>> > script after the upload has fully completed, the
>> > photoalbum/4.0.0/index.php display script works without the
>> > access denied bug and correctly displays the sub-folder contents.
>> >
>>
>> You need to show your work ...
>>
>>   - show the apache error log errors - the browser message isn't
>>     very useful
>>
>>   - show a (truncated) directory/file listing (from the shell) that
>>     includes the ownership/group settings and permissions
>>
>>   &etc.
>>
>>
>> Separately, while your script appears to set the "nicerapp"
>> directory with the owner/group of rene:www-data and 750
>> permissions, at the bottom of that script, files under that are
>> given 770 permissions. That means that the apache instance - which
>> you indicate runs as "www-data" and is in the "www-data" group -
>> has write permission to those directories and files. This is a
>> security risk.
>> Directories and files under the document root should *never* be
>> writable by the process that is running the apache server.
>>
>
> Richard, could you please explain *why* setting files under the
> documentRoot to chmod 770 permissions is a security risk?
> i'm only enabling this for the cache-combinated files for my CMS'
> sitewide css and js files,
> and the newsItems data directory, and the photoAlbum uploads
> directories, stuff like that.
>
> i believe i need those files and directories writable by
> apache+php7 to facilitate the day to day operations done by
> end-users on the websites it serves up.
>

To be clear, the issue isn't just 770 permissions. It's the
intersection of the owner/group on the resource, the user the server
is running as and the groups it is in -- and permissions.

If there is a hole in the server - either in the server proper or
more likely user code - easily exploitable resources provide a hacker
with a nice starting point.


Please do not include my direct address on replies.

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux