Solved

permissions on file in directory for apache to use but not user to see

Posted on 2004-04-04
9
313 Views
Last Modified: 2010-04-20
i have some files in a directory and i would like to hide the php code from the user who logs in via ftp.

he has permissions for everything but writing to his home directorys php files which i wrote.
he can still read them but as soon as i chmod them to no read the website says access forbidden, im guessing that apache needs some type of special read permissions.


also is there a way too if someone makes a php file and uploads it that it cannot read the other php files i wrote.

heres the current directory permissons on the php files
-rwxrwxr-x    1 jasonb   jasonb       6496 Feb 24 04:06 index.php
-rwxrwxr-x    1 jasonb   jasonb       2541 Feb 19 01:06 leftsideframe.php
-rwxrwxr-x    1 jasonb   jasonb        492 Feb 19 01:06 main.php
-rwxrwxr-x    1 jasonb   jasonb       5320 Mar  4 03:23 markfunctions.php
-rwxrwxr-x    1 jasonb   jasonb       4890 Feb 19 01:06 new.php
-rwxrwxr-x    1 jasonb   jasonb       8876 Mar  5 01:04 orderprints.php
-rwxrwxr-x    1 jasonb   jasonb       1408 Feb 24 04:06 pagevisit.php
-rwxrwxr-x    1 jasonb   jasonb       1406 Feb 19 01:06 rightsideframe.php
-rwxrwxr-x    1 jasonb   jasonb       3704 Mar  4 03:24 setupcontactsheets.php
-rwxrwxr-x    1 jasonb   jasonb       5875 Feb 19 01:06 test.php
0
Comment
Question by:aot2002
  • 5
  • 4
9 Comments
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10751465
With what user id / group id is your Apache server running? Once you know that, use this information to change the owner and/or group for your PHP files and make sure that you don't give any rights to the world. Let's say, your server runs as "wwwrun". You can protect your PHP files by using these commands:

chown wwwrun *.php
chmod 700 *.php

I don't think you can prevent other PHP files from accessing your PHP files. Once they are started, they run under the same user ID, and can therefore access these scripts.

0
 
LVL 1

Author Comment

by:aot2002
ID: 10752863
>>Once they are started, they run under the same user ID, and can therefore access these scripts.

Yea but isnt it true that if that user uploads the files he doesnt have access to apache
or can i prevent him from accessing anything that apache does.

0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10753359
I don't understand your question. If a user uploads a .php file, and your server is configured so that it executes .php files in the user's home directory, the Apache process can potentially access your php files and get access to the scripts. Unlikely, but not impossible.
0
 
LVL 1

Author Comment

by:aot2002
ID: 10754572
but would it also be true the user would upload and his username would be marked as the owner of the file !

if he is the owner and he doesnt have permission then how can he execute a script?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10755916
The owner of the file is not important, it's the execute permissions that will cause the problem.
0
 
LVL 1

Author Comment

by:aot2002
ID: 10756161
what if he doesnt have file changing permissions ?
basically he can upload but not change file permissions?

Is this possible?
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10756549
How do your users upload files to the server?
0
 
LVL 1

Author Comment

by:aot2002
ID: 10760409
ftp   im running vsftpd
0
 
LVL 44

Accepted Solution

by:
Karl Heinz Kremer earned 30 total points
ID: 10762527
The ftp protocol does allow to modify the file mode on the server. You have to make sure that your user's directories are marked as not-executable on the Web server level. Apache does this with -ExecCGI in the Options command.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now