> when i create a folder outside
> the htdocs directory and give
> rwx rights to owner and group,
> does that mean it is impossible
> to access it from somewhere else
> than the server
I'm not sure what the directory is for, but setting an "rwx"
permission will allow executables to run.
To my limited knowledge, you should generally only need read/write
("rw") on a public-accessible server.
> For my logic you would need server
> access.. am I right?
Setting owner/group permissions makes certain operations unavailable
to any person or system which is not the owner or member of the group.
It could potentially be accessed from anywhere if the person or system
has a connection and the authorization.
In general, you should be relatively safe as a properly configured
server should, by default, only allow the public "read-only" access to
certain directories (htdocs in your case) and deny everything else.
This is a kind of "security through anonymity". If it is outside of
your web root, the general public shouldn't even know it is there.
> or are there
> still some freaky hacker tricks
> to get to one of those directories?
I'm not a hacker so do not know what tricks they might try, but here
are some things that might help reduce your risks:
Place an empty "index.html" in directories (some people will put an
"Access denied" message here). This should help prevent anyone who
manages to get "out" (whether due to an error or otherwise) from
seeing an index of what you have on your server.
Make sure you have error redirects in place. Any errors should be
redirected to an html page.
Only change permissions on directories or files which absolutely must
have them and then only use the bare minimum required.
Never allow anonymous uploads, especially if you are going to allow
executables(the "x" permission). Allowing unrestricted anonymous
uploads is just begging to get hacked. Actually, to my mind, allowing
anonymous FTP is just a bad idea in general.
All user submitted information (forms) should be sanitized and
validated. Never process a raw form submission.
Oops...I didn't mean for this to be such a long post. Hope that helps
a bit.
--- In php-objects@xxxxxxxxxxxxxxx, "m.frigge" <m.frigge@...> wrote:
>
> Hey there,
>
> when i create a folder outside
> the htdocs directory and give
> rwx rights to owner and group,
> does that mean it is impossible
> to access it from somewhere else
> than the server.. or are there
> still some freaky hacker tricks
> to get to one of those directories?
>
> For my logic you would need server
> access.. am I right?
>
> Greets, Max
>
