php chmod 777 security?

Hi,

I have a folder that gets written to by a php script. I had to change the folder permissions to 777 to allow the script to write to the folder and create the xml files.

I am a little hesitant about this because this url is embedded inside of an iphone app and is visible. Is this a security issue?

if so, what can I do to make it secure?

thanks.
SolutionabcAsked:
Who is Participating?
 
Ray PaseurCommented:
It typically does not take very long to write an XML file.  Maybe this is worth considering:

1. chmod to allow writing
2. flock and write xml file
3. release the lock and chmod back to your preferred security setting
0
 
Hugh McCurdyCommented:
Yes, it's a security issue.

Can you make the folder owned by server's login?  Look in the /etc/passwd file with the user with userid = 80.  Most likely it's apache or www.

Make the file owned by apache or www.
0
 
Hugh McCurdyCommented:
Having said that, as this is a security question, please wait around to see if someone else has something to say on this issue.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Hugh McCurdyCommented:
You could then have the permissions be 770 or 700.  If you want yourself to own the file and apache to be the group, then 770 for the folder/directory.  660 for the file.
0
 
amitnepalCommented:
Yes that is a security issue. what you can change the owner of the folder to apache

chown -R apache:apache <foldername>
chmod u+rwx <foldername>

or , chmod 770 foldername
0
 
crazedsanityCommented:
@hmccurdy: I've never seen a system where the user that owns the Apache process has the UID of 80... where are you getting this?

For the proper user id, look in the Apache configuration (/etc/apache2/apache2.conf) for a line that starts "User ".  In my server's configuration, it says:
User ${APACHE_RUN_USER}

Open in new window

That's an environment variable that is set in "envvars.conf":
export APACHE_RUN_USER=www-data

Open in new window


The only security risk I can think of as far as the ownership settings of that particular directory is that other users can read, write, & execute items in that folder.  In most configurations, the webserver (Apache) runs as a specific user, so any other website on the server would be able to read from or write to that same folder, even if it was another user.
0
 
crazedsanityCommented:
@Ray: your idea of running chmod during the time of an XML writing can run into some timing issues.  It could be very rare, but it is possible that two processes could overlap in a way where the second gets denied (the first changes permissions as the second is about to write the file).
0
 
Hugh McCurdyCommented:
@crazedsanity, from /etc/passwd

apache:x:80:80:User for Apache:/srv/httpd:/bin/false

www:x:80:80:Webmaster:/home/httpd/htdocs:/bin/bash


The first is from a Slackware system I loaded.  The second is from a RedHat system that I didn't load.
0
 
crazedsanityCommented:
@hmccurdy: not trying to argue... but on my Debian server, www-data's UID is 33; on a Fedora box it is 48, and on a CentOS box it is 48.  I don't think I have an actual RedHat server available, nor Slackware... anyway, the point is that assuming the UID is 80 is like assuming the server in question is a specific flavor of Linux.

The moral of this story: never assuming that an ID on one system will ever be the same on another (same goes for GID's and assuming that "apache" or "www-data" will always be the user for the Apache process).
0
 
Hugh McCurdyCommented:
crazed, I agree.  It's an old RH.  Been trying to get it updated but RH5 has a serious bug in GTK (from my perspective) and RH wouldn't apply the fix.  RH should be the same as CentOS if the version #'s match.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.