Re: [PHP] Security Question, re directory permissions [long answer]
My pleasure, Arno! On 5/22/07, Arno Kuhl [EMAIL PROTECTED] wrote: -Original Message- From: Daniel Brown [mailto:[EMAIL PROTECTED] Sent: 18 May 2007 10:27 To: Al Cc: php-general@lists.php.net Subject: Re: [PHP] Security Question, re directory permissions [long answer] On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php DISCLAIMER: Bare with me this is a bit of a long answer enjoy! I can't think of any good reason why you'd have 757 for your permissions, first of all. Secondly, yes, there are security holes in having world-writable directories on a shared system. Some scripts require that you have these permissions set, and this is primarily for uploading files. However, better care should be taken by the authors to work around the 777-required permissions. For example, if uploading an image on the web to a web-accessible directory, it could instead be done as follows: Set permissions on [directory] to 777. Run script createdir.php via the web: ? mkdir($dir_name); chmod($dir_name,0700); ? Set permissions on [directory] back to the original permissions (probably 750 or 755). The above example does the following: 1.) Sets the directory to allow everyone to read, write, and execute. 2.) Apache creates a directory and sets permissions so that only it can read, write, and execute what's in there. 3.) Sets the directory back to the original (hopefully secure) permissions. That means that you won't be able to add, remove, or modify anything in that directory, of course, including the directory itself, unless you do so via the web. For example, you won't be able to use FTP to upload to that directory, nor can you delete anything from there via FTP or SSH (unless your host has REALLY screwed something up). Of course, if php_suexec is running, or if you set the SUID on the script, then the scripts will execute as the user they belong to, not as apache/nobody/daemon or whatever Apache is set to run as. This means that the above paragraph does not apply, and even via Apache, it would be as though you had manually placed the files there. This is the most-secure operation as far as that goes, but can lead to problems of privilege escalation if someone is able to create files under the UID of a different user on the system and have suexec run the files. And a basic refresher on Unix permissions as a whole (these NEVER apply to root, who can do anything, anytime, anywhere): SpecialtyUserGroupEveryone # # # # Everyone knows the basics of chmod: - 75 5 `chmod 755 script.php` -rwxr-xr-x script.php - Owner can read, write, and execute - Members of primary group can read and execute (can't write to file) - Everyone else can read and execute (can't write to file) Another example: `chmod 640 script.php` -rw-r- script.php - Owner can read and write (can't execute file) - Members of primary group can read (can't write or execute file) - No one else (again, beside root) can read, write, or execute file Each bit is comprised of a math formula with values as follows: 4 - Read 2 - Write 1 - Execute 0 - No permissions (cannot be added to above numbers in permission bit, of course) So to get the number for the permission bit, simply add the above numbers together to get the sum. For example, if you want the owner of the file to be able read, write, and execute, the group to be able to read and execute, and the rest of the world to only be able to read, you'd do calculate the following: Owner (read, write, execute): 4 + 2 + 1 = 7 Group (read and execute): 4 + 1 = 5 Everyone (read only): 2 Your permissions as above would be 752 (`chmod 752 script.php`). Now, on to the 4-digit permission values you've probably seen elsewhere begin with what's called a 'specialty bit' which allows the owner (or root) to enforce one of the following: 4 - SUID (if executed, runs as owner, with owner permissions) 2 - GUID (if executed, runs as group, with group permissions) 1 - Sticky (if directory, only user can modify
Re: [PHP] Security Question, re directory permissions
On 5/19/07, itoctopus [EMAIL PROTECTED] wrote: I'm genuinely interested to know with whom you're hosting... No problem, it's www.dapx.com, it hasn't a lot security, safe_mode is off for example. If you know the right stuff from another user on the same server, you can actually do some nice stuff :) Tijnema -- itoctopus - http://www.itoctopus.com Tijnema [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On 5/19/07, Al [EMAIL PROTECTED] wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and that might be blocked on some hosts, but it works for me. On my host, accounts for domains are just in /home so let's say i have 2 accounts, account a b. their directorys are resp. /home/a /home/b. When i create a diretory with account a at /home/a/dir, and i chmod it 757, i can write a file there from account b. Tijnema Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
I use Hosting Matters. It is super reliable and solid. itoctopus wrote: I'm genuinely interested to know with whom you're hosting... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question, re directory permissions
I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
How can they write or edit files there without having ftp access or the site's file manager? Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions [long answer]
On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php DISCLAIMER: Bare with me this is a bit of a long answer enjoy! I can't think of any good reason why you'd have 757 for your permissions, first of all. Secondly, yes, there are security holes in having world-writable directories on a shared system. Some scripts require that you have these permissions set, and this is primarily for uploading files. However, better care should be taken by the authors to work around the 777-required permissions. For example, if uploading an image on the web to a web-accessible directory, it could instead be done as follows: Set permissions on [directory] to 777. Run script createdir.php via the web: ? mkdir($dir_name); chmod($dir_name,0700); ? Set permissions on [directory] back to the original permissions (probably 750 or 755). The above example does the following: 1.) Sets the directory to allow everyone to read, write, and execute. 2.) Apache creates a directory and sets permissions so that only it can read, write, and execute what's in there. 3.) Sets the directory back to the original (hopefully secure) permissions. That means that you won't be able to add, remove, or modify anything in that directory, of course, including the directory itself, unless you do so via the web. For example, you won't be able to use FTP to upload to that directory, nor can you delete anything from there via FTP or SSH (unless your host has REALLY screwed something up). Of course, if php_suexec is running, or if you set the SUID on the script, then the scripts will execute as the user they belong to, not as apache/nobody/daemon or whatever Apache is set to run as. This means that the above paragraph does not apply, and even via Apache, it would be as though you had manually placed the files there. This is the most-secure operation as far as that goes, but can lead to problems of privilege escalation if someone is able to create files under the UID of a different user on the system and have suexec run the files. And a basic refresher on Unix permissions as a whole (these NEVER apply to root, who can do anything, anytime, anywhere): SpecialtyUserGroupEveryone # # # # Everyone knows the basics of chmod: - 75 5 `chmod 755 script.php` -rwxr-xr-x script.php - Owner can read, write, and execute - Members of primary group can read and execute (can't write to file) - Everyone else can read and execute (can't write to file) Another example: `chmod 640 script.php` -rw-r- script.php - Owner can read and write (can't execute file) - Members of primary group can read (can't write or execute file) - No one else (again, beside root) can read, write, or execute file Each bit is comprised of a math formula with values as follows: 4 - Read 2 - Write 1 - Execute 0 - No permissions (cannot be added to above numbers in permission bit, of course) So to get the number for the permission bit, simply add the above numbers together to get the sum. For example, if you want the owner of the file to be able read, write, and execute, the group to be able to read and execute, and the rest of the world to only be able to read, you'd do calculate the following: Owner (read, write, execute): 4 + 2 + 1 = 7 Group (read and execute): 4 + 1 = 5 Everyone (read only): 2 Your permissions as above would be 752 (`chmod 752 script.php`). Now, on to the 4-digit permission values you've probably seen elsewhere begin with what's called a 'specialty bit' which allows the owner (or root) to enforce one of the following: 4 - SUID (if executed, runs as owner, with owner permissions) 2 - GUID (if executed, runs as group, with group permissions) 1 - Sticky (if directory, only user can modify/rename/delete files within; if file, on only *nix systems, keep file in RAM upon delete) Using the same concept and convention as above with the math, you can create single or combination permissions on the specialty bit of the permissions. Some examples: 4755 - Owner can read/write/execute; group and everyone else can
Re: [PHP] Security Question, re directory permissions
But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On Fri, 2007-05-18 at 20:16 -0400, Al wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Bugs in your code, bugs in third-party code, bugs in PHP itself, sometimes they can be abused to take advantage of your server. The less secure everything else is, the greater the advantage that can be taken. Just ask anyone who's had their site defaced. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/19/07, Al [EMAIL PROTECTED] wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and that might be blocked on some hosts, but it works for me. On my host, accounts for domains are just in /home so let's say i have 2 accounts, account a b. their directorys are resp. /home/a /home/b. When i create a diretory with account a at /home/a/dir, and i chmod it 757, i can write a file there from account b. Tijnema Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
I guess your comment The less secure everything else is. is the best answer. I'm developing a CMS where logged-in, selected users can create new directories and pages in them. I'm comfortable that my code is secure. I'm using php's ftp functions, with good security, to mkdir and create special files. Guess, I'll go to the trouble to change permissions to create new stuff and then restore them to 755 and 644. Thanks everyone. Robert Cummings wrote: On Fri, 2007-05-18 at 20:16 -0400, Al wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Bugs in your code, bugs in third-party code, bugs in PHP itself, sometimes they can be abused to take advantage of your server. The less secure everything else is, the greater the advantage that can be taken. Just ask anyone who's had their site defaced. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
I'm genuinely interested to know with whom you're hosting... -- itoctopus - http://www.itoctopus.com Tijnema [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On 5/19/07, Al [EMAIL PROTECTED] wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and that might be blocked on some hosts, but it works for me. On my host, accounts for domains are just in /home so let's say i have 2 accounts, account a b. their directorys are resp. /home/a /home/b. When i create a diretory with account a at /home/a/dir, and i chmod it 757, i can write a file there from account b. Tijnema Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php