SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2005
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    file permissions of html files

    I'm writing a php application that modifies the html files of a web site. Unfortunately I need to give the files world writable permissions (i.e. 666) otherwise php cannot access them.
    Will this cause security problems?
    If so, does anyone know a solution?
    thanks,
    Ed

  2. #2
    SitePoint Evangelist sputza's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    528
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I dont think it would cause security problems.
    Steven Watkins
    Chief Web Ninja
    Code Monkey Interactive
    lowgravity.ca

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2005
    Location
    Normal, Illinois
    Posts
    57
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah I don't think this would be a problem either.
    hi!

  4. #4
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    512
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are using shared hosting, other users or those who hijacked other user's account
    may be able to write to the file (and any other file in the writable directory)
    and take over your site ... (worst case senario).

    Having said that, I think it's more important to secure bad PHP application
    and your own home/office PC, these days.
    Freebie/DonationWare: check-these.info
    Custom solutions: Hostwick.com

  5. #5
    SitePoint Evangelist sputza's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    528
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by extras
    If you are using shared hosting, other users or those who hijacked other user's account
    may be able to write to the file (and any other file in the writable directory)
    and take over your site ... (worst case senario).
    I donít think the permissions of the file would make a difference if the whole server is compromised.
    Steven Watkins
    Chief Web Ninja
    Code Monkey Interactive
    lowgravity.ca

  6. #6
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    512
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sputza
    I donít think the permissions of the file would make a difference if the whole server is compromised.
    With 777, anybody can write and execute,
    and bad guy doesn't have to compromiss whole server to take advantage of that.
    He/she just have an access, and it's very easy to obtain access by many means.
    (Cracking poorly written PHP app or one of Mat's script, for example .)
    Freebie/DonationWare: check-these.info
    Custom solutions: Hostwick.com

  7. #7
    SitePoint Enthusiast
    Join Date
    Apr 2005
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's a pity that the ftp server gives the files a different owner and group, otherwise you wouldn't need world privilages

  8. #8
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    512
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, you can ask the host to use SuExec or other setup that allows CGI/PHP to run
    as a user rather than "nobody" or "www-something".
    If not, you can store everything in DB, or just live with the risk, or even change the host.

    Again, I think the risks against your home machine and/or PHP apps are
    far greater than risk from the insecure server setup you have.
    Freebie/DonationWare: check-these.info
    Custom solutions: Hostwick.com

  9. #9
    SitePoint Evangelist sputza's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    528
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by extras
    With 777, anybody can write and execute,
    and bad guy doesn't have to compromiss whole server to take advantage of that.
    He/she just have an access, and it's very easy to obtain access by many means.
    (Cracking poorly written PHP app or one of Mat's script, for example .)
    Yes, you are correct. I miss understood the reply.

    If the script has holes... then you are in for some possible trouble. I think rather than focusing on the html files as the security hole, make sure your PHP code is solid.
    Steven Watkins
    Chief Web Ninja
    Code Monkey Interactive
    lowgravity.ca


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •