We help IT Professionals succeed at work.

Can the owner of a file/folder be given just read access?

Yashy
Yashy asked
on
438 Views
Last Modified: 2014-01-20
hi guys

Is it possible for the the owner of a file/folder to merely have read and execute permissions in Linux? And then have another user with full read/write/execute who is not the owner?

The reason being is that not long ago, we were hacked due to php vulnerabilities and someone used sql injection that took over the site. The loopholes in php have been patched. However, we believe the reason the person was able to do this was because the owner of the file/group for those directories had full write permissions, so when the php code executed it acted as 'the owner'. This way, if something like this was attempted again, the php script would attempt to execute as the owner and realise it doesn't have permissions and fail. I'm assuming?


Thanks
Yashy
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011
Author of the Year 2014
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I should have also said that if you succeeded in your objective, no one could delete the file. Hence my suggestion above.

.... Thinkpads_User

Author

Commented:
Thanks for responding. See, I thought that when someone finds a php vulnerability, then if there is a security flaw in the php script, then the person will manage to execute a script purely because the server sees them as the rightful owner of those files and hence it will just permit that execution to take place. So the hacker isn't hacking onto our servers directly, but using the php vulnerabilities to execute a file.

But then if I make the administrator the owner with a password, let's say that a genius mastermind finds a way through the form fields on our site and finds a vulnerability, and it finds a way to use the 'Fopen' function and open a php file and save to it. If the admin account has a password, are you saying the mastermind won't be able to execute anything as they would get prompted? As last time, the owner was the EC2-user on Amazon's servers which you can only log on with if you have a private key which the hacker wouldn't have. So that's why I'm puzzled by the creation of a password, when a private key would possibly be more secure?

Hence why I thought if I could have the Owner as Ec2-user, but only give it read access. Then create a new user with full write access. So if there was a 'hack', then the server would see the execution coming from the server side owner (ec2-user), but as it only has read access would prevent it from executing anything? Does any of what I said make sense?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I use Linux less than Windows, but if anyone or anything tries to access a folder where the owner has a difficult password, I have not seen them succeed, except if the entire machine was hacked. At the folder level, the password should be required and if the owner is different than the user then a script probably would not be able to figure it out.

... Thinkpads_User
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.