Solved

How does filepermissions work

Posted on 2011-03-12
7
229 Views
Last Modified: 2012-05-11
Im trying to figure out how to limit access to a php-file based on file-permissions, but apparently I dont get it.
I want to limit the possipility to send POST or GET to a php-file from another hostname and figured that it could be done by setting the write-access to Owner only.

But that is not it.

So can anyone explain me how the permissions works.

I expected that domains placed in the same server-directory would be Owner, while others would be Everyone.

I need a real simple explanation on this - preferably with an example of how to limit Writing to a php-file
0
Comment
Question by:petersego
  • 4
  • 3
7 Comments
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35116172
You don't say what you operation system is, but I'll assume Linux

Permissions come in two parts - membership and access modes. Let us say you create a user profile of 'peter' and also add it to the  group 'users'. Let us say you create a PHP file and set its ownership (via the chown command) to 'peter' and group 'users'.

Now we need to consider the access modes. Basically these are in 3 parts - owner, group, others and they each consist of 3 settings read, write and execute. These are set with the chmod command and they are set in groups of three in the order rwx (read/write/execute) with values 4=read, 2=write, 1=execute, and the groups are in the sequence owner, group, others.

So for your PHP script you might set the modes to 740 with chmod 740 myscript.php. That will give :

Owner: 7 = 4 + 2 + 1 = r w x
Group: 4 = 4 + 0 + 0 = r - -
Others: 0 = 0 + 0 + 0 = - - -

So the owner (peter) can read, write and execute the script, people who are members of the group users can read the script and everyone else is not allowed to do anything with it.

Now on Linux, PHP is usually implemented as an Apache module which means it runs under the group www-data or www or wwwrun (depending on your OS) and similarly for an owner profile. In this example, Apache has no persmission to do anything with the file because it is not 'peter' and it is not a member of 'users'

The problem here is that no matter how you set permissions on different domains within the webroot, apache needs at least read access otherwise it cannot access them. One solution for this is to create a group with the same name as the user ('peter' in our example) and then assign apache membership of that group. This allows apache to read the scipts for a given domain, but it also means that apache can read any other script in any other domain in the web root. You can stop this by using another setting called open_basedir which, for any domain, limits what apache can do.

So, let us take a more concrete example. Two domains example1.org and example2.com which are to be kept independent of each other. So we create two new users and two new groups

user: example1  group: example1
user: example2  group: example2

Then we set the ownership of our scripts

chown -R example1:example1 /var/www/htdocs/example1.org
chmod -R 770 /var/www/htdocs/example1.org

chown -R example2:example2 /var/www/htdocs/example2.org
chmod -R 770 /var/www/htdocs/example2.com


We now add the apache user to the relevant groups (assuming www-data is the apache user)

usermod -a -G example1,example2 www-data

and what we now have are two domains whose code is limited to their user and group and apache. We now need to limit apache to each domain via open_basedir so in each VirtualHost in apache add the following line between the <Directory> and </Directory> tags

in example1.org's Virtualhost
 php_admin_value open_basedir /var/www/htdocs/example1.org

in example2.com's Virtualhost
 php_admin_value open_basedir /var/www/htdocs/example2.com

This limit apache to all files and folders below the path given. There are ways round open_basedir but it is a showstopper for 99.9% of all hacks. Combined with the access methods outlined above you should be fairly secure.




0
 

Author Comment

by:petersego
ID: 35116408
Thanks for the comprehensive explanation.
My problem is that Im in no control of the server and I cant imagine that my ISP will change basic settings like this.
I have no access to Apache and I cant change or set CHOWN only CHMOD.
But as I understand you, if I set CHMOD to 740 for the PHP-file, then a domain without me as the user, should not be able to send POST to it.
Ive tried that, but I can still send from another domain that belongs to another username - to the best of my knowledge.
It seems incredible that everyone from anywhere in the world can send to a script through POST.
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35116492
You should be able to limit a script's behaviour, but I'm out of time at the moment. If you have access to the virtualhost then you can still use open_basedir.

I'll pick this up later (much later) if it is still open or tomorrow.
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35127208
How are things going? Do you need further explanation?
0
 

Author Comment

by:petersego
ID: 35127642
Well, Id be glad if you could clarify if filepermission is set as 740 for the php-file, then another domain, that does not have the same owner should not be able to send POST to it.
That is what I understand from your answer.
Secondly you wrote that I should be able to limit a scripts behaviour. What did you mean by that.
By the way I have no access to the virtualhost.
0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 500 total points
ID: 35128150
"By the way I have no access to the virtualhost."

In that case you have a difficulty because we need to be able to set open_basedir and that should be done in the virtual host. I will expand on this point in a moment.


"d be glad if you could clarify if filepermission is set as 740 for the php-file, then another domain, that does not have the same owner should not be able to send POST to it."

As long as each domain has its own owner and group then this isolates one domain from seeing another as the "public" permission in 740 is 0 - ie no permission to read, write or execute. But..... the webserver need to be able to read a script or else PHP cannot load the script to execute it so in my explanation I added the webserver user to each new group. This means that for permissions of 740, the group part (4) grants read permission to any use in that group and that includes the webserver. So although general users of the system or those logging in via FTP cannot move around between domains - the webserver has "read access" to every file or every domain of which it is a group member.

This is where the open_basedir came in. IF each domain has an open_basedir set in its virtualhost then the webserver is limited to staying within that domain. If you access domain1 then the open_basedir stops apache (and thus the user) from accessing domain2 even though the webserver has access to every single file. That is why it is the combination of file/group permissions and open_basedir that secures the machine.


"Secondly you wrote that I should be able to limit a scripts behaviour. What did you mean by that."

You said that it was "...incredible that everyone from anywhere in the world can send to a script through POST". Well, that's the beauty of the internet, but if you want to you can restrict scripts by a few simple checks. For instance putting a "form token" on a form stops many automated scripts (see this http://phpsec.org/projects/guide/2.html for discussion on how to modify a form's behaviour) or you can limit a script that it only functions if the user arrived from another page on your website (by checking $_SERVER['HTTP_REFERER'] ). There are other methods and techniques but these illustrate the general point that forms do not have to blindly accept whatever people tip into them.
0
 

Author Closing Comment

by:petersego
ID: 35130459
Thanks. I might not have found the solution, but you certainly have pointed me in several interesting directions.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question