asked on Can the owner of a file/folder be given just read access?
hi guys
Is it possible for the the owner of a file/folder to merely have read and execute permissions in Linux? And then have another user with full read/write/execute who is not the owner?
The reason being is that not long ago, we were hacked due to php vulnerabilities and someone used sql injection that took over the site. The loopholes in php have been patched. However, we believe the reason the person was able to do this was because the owner of the file/group for those directories had full write permissions, so when the php code executed it acted as 'the owner'. This way, if something like this was attempted again, the php script would attempt to execute as the owner and realise it doesn't have permissions and fail. I'm assuming?
Thanks
Yashy
Is it possible for the the owner of a file/folder to merely have read and execute permissions in Linux? And then have another user with full read/write/execute who is not the owner?
The reason being is that not long ago, we were hacked due to php vulnerabilities and someone used sql injection that took over the site. The loopholes in php have been patched. However, we believe the reason the person was able to do this was because the owner of the file/group for those directories had full write permissions, so when the php code executed it acted as 'the owner'. This way, if something like this was attempted again, the php script would attempt to execute as the owner and realise it doesn't have permissions and fail. I'm assuming?
Thanks
Yashy
LinuxCloud ComputingPHP
Last Comment
ExpertNotReally
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for responding. See, I thought that when someone finds a php vulnerability, then if there is a security flaw in the php script, then the person will manage to execute a script purely because the server sees them as the rightful owner of those files and hence it will just permit that execution to take place. So the hacker isn't hacking onto our servers directly, but using the php vulnerabilities to execute a file.
But then if I make the administrator the owner with a password, let's say that a genius mastermind finds a way through the form fields on our site and finds a vulnerability, and it finds a way to use the 'Fopen' function and open a php file and save to it. If the admin account has a password, are you saying the mastermind won't be able to execute anything as they would get prompted? As last time, the owner was the EC2-user on Amazon's servers which you can only log on with if you have a private key which the hacker wouldn't have. So that's why I'm puzzled by the creation of a password, when a private key would possibly be more secure?
Hence why I thought if I could have the Owner as Ec2-user, but only give it read access. Then create a new user with full write access. So if there was a 'hack', then the server would see the execution coming from the server side owner (ec2-user), but as it only has read access would prevent it from executing anything? Does any of what I said make sense?
But then if I make the administrator the owner with a password, let's say that a genius mastermind finds a way through the form fields on our site and finds a vulnerability, and it finds a way to use the 'Fopen' function and open a php file and save to it. If the admin account has a password, are you saying the mastermind won't be able to execute anything as they would get prompted? As last time, the owner was the EC2-user on Amazon's servers which you can only log on with if you have a private key which the hacker wouldn't have. So that's why I'm puzzled by the creation of a password, when a private key would possibly be more secure?
Hence why I thought if I could have the Owner as Ec2-user, but only give it read access. Then create a new user with full write access. So if there was a 'hack', then the server would see the execution coming from the server side owner (ec2-user), but as it only has read access would prevent it from executing anything? Does any of what I said make sense?
I use Linux less than Windows, but if anyone or anything tries to access a folder where the owner has a difficult password, I have not seen them succeed, except if the entire machine was hacked. At the folder level, the password should be required and if the owner is different than the user then a script probably would not be able to figure it out.
... Thinkpads_User
... Thinkpads_User
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
.... Thinkpads_User