Proper Permission for Apache and PHP applications

Posted on 2008-06-18
Last Modified: 2012-05-05

Im in charge of two RHEL 5.x servers with Apache 2.x and PHP 5.1.x
A team of programmers just installed an application to the server and they want to chmod 777 almost all the files and directories their application uses, claiming that without this, the PHP code will not run properly.

Most of the application is written in PHP with calls to external utilities like html2ps.

There is a temporary directory where users should upload documents and another temporary directory where html pages are transformed into PDF using html2ps php module.

My questions are (not being  a security expert)

1- Is it wrong to chmod .php and .sh scripts with 777 under the webroot directory of Apache?
I guess there is no need to chmod 777 a script, but since I am not a php programmer.....
2- Can I chmod 775 and chown root:root all files under webroot?
3- Is it ok to chmod 777 the two directories for uploads and html2ps conversion only?
4- Why would a php programmer say that he needs 777 to make a .php work?

Question by:erickperez
  • 4
  • 3
LVL 24

Expert Comment

ID: 21815788
If a developer is asking for such permissions, he is doing something wrong. It is a gaping security whole to do what is being asked in this case.

Now, if this server is an internal server with no ties at all to the outside world, you are probably safe making these changes. Your only risk is from internal maliciousness, and you can choose to deal with that how you wish.

However, if these will be external servers which can be accessed by the world, you are opening yourself up to very dangerous exploits.

First, changing file permissions to 777 allows any user on the system to modify those files. This can be a user that is logged in directly, or a user that is accessing your server via a script, and exploiting that script to do his wishes. As long as you keep such permissions to a minimum (like on temporary or user-upload directories), you should be safe. However, you should never change a script to 777, because if that file is modified by a malicious user and then executed, you are at the mercy of the code that has been placed in the script.

Second, on a public-facing webserver, neither Apache nor any PHP script should *EVER* be run as root. *EVER*. The reason is the same as above: giving a script root access is equivalent to running 'chmod -R 777 *'. You are making every file and directory on the server writable to that script. If that script has security holes which allow an attacker to exploit it, you are in for some serious trouble.

A common reason that a developer wants a script to run as root is because he wants output from a system command, and will be using a function like exec() to run it. This is fine, again, in a closed environment, but never on a public-facing server. The potential for abuse is just too high. Instead, any processing that is needed should be done either via PHP-only method, or should be queued on the server to be processed independently as a batch by the appropriate command. For example, if the script needs output from the html2ps command, you should do the following:

 1. Write the script so that it saves the HTML file into an appropriate directory.
 2. Allow the script to set a flag, either in a database or a flat file, to notify a daemon that a file is waiting to be processed.
 3. The daemon sees that a file is waiting, and calls html2ps to process the file, writing the output to a webserver-accessible directory.
 4. The script checks for the existence of the processed file, and acts accordingly.
LVL 24

Expert Comment

ID: 21815804
Spellchecker is on vacation. "security whole" should be "security hole"

Author Comment

ID: 21816044
Hi glcummins,
This will be an internet facing server.
Since we are running Redaht EL with apache and php as RPM packages....
Web server is as usual running as user apache group apache.
I am thinking of chmod 775 all files below /var/www/html/* -R
Also, chown root:root: /var/www/html/* -R

Security speaking, is it ok?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 24

Expert Comment

ID: 21816106
775 still gives any rogue script on the server the ability to change any of your scripts. I wouldn't ever do that on my server, especially if there is a way for other people to upload scripts to the server to be run as root. Consider this scenario:

 I have a script that checks user logins for my site. It accesses the user database, checks a username and password, and logs in a user if the info is correct.

 Now suppose that another script exists on your server which has been placed there by a malicious user. Normally, he would be able to write to only his own files. However, since his script will run under Apache, and since you have given write access on all of your files to your scripts, his script can now modify *your* scripts. He can add a little line in your code that will log all usernames and passwords to a file he can access, for example, or scrape user credit card information, etc.

Next, regarding changing the ownership of the scripts to root, I urge you in the strongest possible terms to reconsider. As I stated before, this will give your scripts complete control over the entire server. If there is any input validation problem in any one of the scripts, that script can be used to completely decimate your server. I would strongly recommend that you find another way to get the data that you desire rather than running your scripts as root.

Author Comment

ID: 21825065
So in that case,
What user/group do you recommend chown the .html .php and .js files that exists on the webroot?
what perms for the files?
r-- for html?
r-x for js?
r-- for .php?

LVL 24

Accepted Solution

glcummins earned 500 total points
ID: 21825103
I recommend that the files in the webroot be owned by the apache user and group. Check the httpd.conf file for the user and group that Apache runs under, and make your files to use the same user and group.

There should be no difference on file permissions for HTML, Javascript, or PHP files. They are all read directly by Apache, and need no special permissions as long as Apache can read them.

Author Closing Comment

ID: 31468514
Thanks for your assistance. I feel more confident now with this and future installations.

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This article discusses four methods for overlaying images in a container on a web page
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question