[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:

Proper Permission for Apache and PHP applications


Im in charge of two RHEL 5.x servers with Apache 2.x and PHP 5.1.x
A team of programmers just installed an application to the server and they want to chmod 777 almost all the files and directories their application uses, claiming that without this, the PHP code will not run properly.

Most of the application is written in PHP with calls to external utilities like html2ps.

There is a temporary directory where users should upload documents and another temporary directory where html pages are transformed into PDF using html2ps php module.

My questions are (not being  a security expert)

1- Is it wrong to chmod .php and .sh scripts with 777 under the webroot directory of Apache?
I guess there is no need to chmod 777 a script, but since I am not a php programmer.....
2- Can I chmod 775 and chown root:root all files under webroot?
3- Is it ok to chmod 777 the two directories for uploads and html2ps conversion only?
4- Why would a php programmer say that he needs 777 to make a .php work?

  • 4
  • 3
1 Solution
If a developer is asking for such permissions, he is doing something wrong. It is a gaping security whole to do what is being asked in this case.

Now, if this server is an internal server with no ties at all to the outside world, you are probably safe making these changes. Your only risk is from internal maliciousness, and you can choose to deal with that how you wish.

However, if these will be external servers which can be accessed by the world, you are opening yourself up to very dangerous exploits.

First, changing file permissions to 777 allows any user on the system to modify those files. This can be a user that is logged in directly, or a user that is accessing your server via a script, and exploiting that script to do his wishes. As long as you keep such permissions to a minimum (like on temporary or user-upload directories), you should be safe. However, you should never change a script to 777, because if that file is modified by a malicious user and then executed, you are at the mercy of the code that has been placed in the script.

Second, on a public-facing webserver, neither Apache nor any PHP script should *EVER* be run as root. *EVER*. The reason is the same as above: giving a script root access is equivalent to running 'chmod -R 777 *'. You are making every file and directory on the server writable to that script. If that script has security holes which allow an attacker to exploit it, you are in for some serious trouble.

A common reason that a developer wants a script to run as root is because he wants output from a system command, and will be using a function like exec() to run it. This is fine, again, in a closed environment, but never on a public-facing server. The potential for abuse is just too high. Instead, any processing that is needed should be done either via PHP-only method, or should be queued on the server to be processed independently as a batch by the appropriate command. For example, if the script needs output from the html2ps command, you should do the following:

 1. Write the script so that it saves the HTML file into an appropriate directory.
 2. Allow the script to set a flag, either in a database or a flat file, to notify a daemon that a file is waiting to be processed.
 3. The daemon sees that a file is waiting, and calls html2ps to process the file, writing the output to a webserver-accessible directory.
 4. The script checks for the existence of the processed file, and acts accordingly.
Spellchecker is on vacation. "security whole" should be "security hole"
erickperezAuthor Commented:
Hi glcummins,
This will be an internet facing server.
Since we are running Redaht EL with apache and php as RPM packages....
Web server is as usual running as user apache group apache.
I am thinking of chmod 775 all files below /var/www/html/* -R
Also, chown root:root: /var/www/html/* -R

Security speaking, is it ok?
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

775 still gives any rogue script on the server the ability to change any of your scripts. I wouldn't ever do that on my server, especially if there is a way for other people to upload scripts to the server to be run as root. Consider this scenario:

 I have a script that checks user logins for my site. It accesses the user database, checks a username and password, and logs in a user if the info is correct.

 Now suppose that another script exists on your server which has been placed there by a malicious user. Normally, he would be able to write to only his own files. However, since his script will run under Apache, and since you have given write access on all of your files to your scripts, his script can now modify *your* scripts. He can add a little line in your code that will log all usernames and passwords to a file he can access, for example, or scrape user credit card information, etc.

Next, regarding changing the ownership of the scripts to root, I urge you in the strongest possible terms to reconsider. As I stated before, this will give your scripts complete control over the entire server. If there is any input validation problem in any one of the scripts, that script can be used to completely decimate your server. I would strongly recommend that you find another way to get the data that you desire rather than running your scripts as root.
erickperezAuthor Commented:
So in that case,
What user/group do you recommend chown the .html .php and .js files that exists on the webroot?
what perms for the files?
r-- for html?
r-x for js?
r-- for .php?

I recommend that the files in the webroot be owned by the apache user and group. Check the httpd.conf file for the user and group that Apache runs under, and make your files to use the same user and group.

There should be no difference on file permissions for HTML, Javascript, or PHP files. They are all read directly by Apache, and need no special permissions as long as Apache can read them.
erickperezAuthor Commented:
Thanks for your assistance. I feel more confident now with this and future installations.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now