Solved

Can the owner of a file/folder be given just read access?

Posted on 2014-01-11
6
383 Views
Last Modified: 2014-01-20
hi guys

Is it possible for the the owner of a file/folder to merely have read and execute permissions in Linux? And then have another user with full read/write/execute who is not the owner?

The reason being is that not long ago, we were hacked due to php vulnerabilities and someone used sql injection that took over the site. The loopholes in php have been patched. However, we believe the reason the person was able to do this was because the owner of the file/group for those directories had full write permissions, so when the php code executed it acted as 'the owner'. This way, if something like this was attempted again, the php script would attempt to execute as the owner and realise it doesn't have permissions and fail. I'm assuming?


Thanks
Yashy
0
Comment
Question by:Yashy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 39773932
You need to make an administrator owner of the folder and then have that admin provide read permissions to the user.

Provide an ultra strong password for this admin account.

.... Thinkpads_User
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 39773934
It's not likely that you will find a good solution if you go down that path.  A more appropriate direction is to Accept Only Known Good Values, and this probably means changing your PHP scripts (there is nothing in PHP that is inherently vulnerable).

This is required reading for any PHP developer:
http://php.net/manual/en/security.php 

This is old, but it explains a lot of the bad history of PHP security:
http://phpsec.org/projects/guide/

This is old, too, but it has been updated for modern times:
http://www.sitepoint.com/php-security-blunders/

This blunder is still hanging around in some PHP installations, but most of them have already been destroyed by hackers:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html

This organization is worth joining:
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

And amazingly, there are still some developers who have not seen this:
http://xkcd.com/327/

HTH, and best of luck with your hardening project, ~Ray
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39773936
I should have also said that if you succeeded in your objective, no one could delete the file. Hence my suggestion above.

.... Thinkpads_User
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 1

Author Comment

by:Yashy
ID: 39774158
Thanks for responding. See, I thought that when someone finds a php vulnerability, then if there is a security flaw in the php script, then the person will manage to execute a script purely because the server sees them as the rightful owner of those files and hence it will just permit that execution to take place. So the hacker isn't hacking onto our servers directly, but using the php vulnerabilities to execute a file.

But then if I make the administrator the owner with a password, let's say that a genius mastermind finds a way through the form fields on our site and finds a vulnerability, and it finds a way to use the 'Fopen' function and open a php file and save to it. If the admin account has a password, are you saying the mastermind won't be able to execute anything as they would get prompted? As last time, the owner was the EC2-user on Amazon's servers which you can only log on with if you have a private key which the hacker wouldn't have. So that's why I'm puzzled by the creation of a password, when a private key would possibly be more secure?

Hence why I thought if I could have the Owner as Ec2-user, but only give it read access. Then create a new user with full write access. So if there was a 'hack', then the server would see the execution coming from the server side owner (ec2-user), but as it only has read access would prevent it from executing anything? Does any of what I said make sense?
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39774167
I use Linux less than Windows, but if anyone or anything tries to access a folder where the owner has a difficult password, I have not seen them succeed, except if the entire machine was hacked. At the folder level, the password should be required and if the owner is different than the user then a script probably would not be able to figure it out.

... Thinkpads_User
0
 
LVL 1

Accepted Solution

by:
ExpertNotReally earned 300 total points
ID: 39775086
Yes, the owner can have read and execute writes over a file/folder and yes another user could have full rights over said file/folder.  The user who you would want to have full access would need to be part of a group that would then have the access. Which would look something like the following.

Create new group
groupadd groupname

Open in new window

Add existing user to the group
usermod -a -G groupname username

Open in new window

Change File/Folder Ownership
chown OwnerUsername:GroupJustCreated /path/to/file

Open in new window

Change Permissions
chmod 570 /path/to/file

Open in new window


Now before you think about doing this, if you do not have root access over the server or have yet to add anyone to the group you will lose access to the file/folder.  Another thing to consider is to check if the web server has ownership of the files/folders in question.  I know there are cases where changes must be made to the files/folders from within a web browser which usually requires the web server to have write permissions in order to save the changes.  If this is not the case simply verifying the server does not have write access should negate your issue.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint …
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question