Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 381
  • Last Modified:

php chmod 777 security?

Hi,

I have a folder that gets written to by a php script. I had to change the folder permissions to 777 to allow the script to write to the folder and create the xml files.

I am a little hesitant about this because this url is embedded inside of an iphone app and is visible. Is this a security issue?

if so, what can I do to make it secure?

thanks.
0
Solutionabc
Asked:
Solutionabc
3 Solutions
 
Hugh McCurdyCommented:
Yes, it's a security issue.

Can you make the folder owned by server's login?  Look in the /etc/passwd file with the user with userid = 80.  Most likely it's apache or www.

Make the file owned by apache or www.
0
 
Hugh McCurdyCommented:
Having said that, as this is a security question, please wait around to see if someone else has something to say on this issue.
0
 
Hugh McCurdyCommented:
You could then have the permissions be 770 or 700.  If you want yourself to own the file and apache to be the group, then 770 for the folder/directory.  660 for the file.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
amitnepalCommented:
Yes that is a security issue. what you can change the owner of the folder to apache

chown -R apache:apache <foldername>
chmod u+rwx <foldername>

or , chmod 770 foldername
0
 
Ray PaseurCommented:
It typically does not take very long to write an XML file.  Maybe this is worth considering:

1. chmod to allow writing
2. flock and write xml file
3. release the lock and chmod back to your preferred security setting
0
 
crazedsanityCommented:
@hmccurdy: I've never seen a system where the user that owns the Apache process has the UID of 80... where are you getting this?

For the proper user id, look in the Apache configuration (/etc/apache2/apache2.conf) for a line that starts "User ".  In my server's configuration, it says:
User ${APACHE_RUN_USER}

Open in new window

That's an environment variable that is set in "envvars.conf":
export APACHE_RUN_USER=www-data

Open in new window


The only security risk I can think of as far as the ownership settings of that particular directory is that other users can read, write, & execute items in that folder.  In most configurations, the webserver (Apache) runs as a specific user, so any other website on the server would be able to read from or write to that same folder, even if it was another user.
0
 
crazedsanityCommented:
@Ray: your idea of running chmod during the time of an XML writing can run into some timing issues.  It could be very rare, but it is possible that two processes could overlap in a way where the second gets denied (the first changes permissions as the second is about to write the file).
0
 
Hugh McCurdyCommented:
@crazedsanity, from /etc/passwd

apache:x:80:80:User for Apache:/srv/httpd:/bin/false

www:x:80:80:Webmaster:/home/httpd/htdocs:/bin/bash


The first is from a Slackware system I loaded.  The second is from a RedHat system that I didn't load.
0
 
crazedsanityCommented:
@hmccurdy: not trying to argue... but on my Debian server, www-data's UID is 33; on a Fedora box it is 48, and on a CentOS box it is 48.  I don't think I have an actual RedHat server available, nor Slackware... anyway, the point is that assuming the UID is 80 is like assuming the server in question is a specific flavor of Linux.

The moral of this story: never assuming that an ID on one system will ever be the same on another (same goes for GID's and assuming that "apache" or "www-data" will always be the user for the Apache process).
0
 
Hugh McCurdyCommented:
crazed, I agree.  It's an old RH.  Been trying to get it updated but RH5 has a serious bug in GTK (from my perspective) and RH wouldn't apply the fix.  RH should be the same as CentOS if the version #'s match.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now