Jump to content

tork

Members
  • Content count

    64
  • Joined

  • Last visited

Community Reputation

0 Neutral

About tork

  • Rank
    Regular Member

Profile Information

  • Gender
    Not Telling
  1. The server is AWS linux apache running PHP, with me the sole developer as owner ec2-user. Objective: To upload files from the app user's browser (handled) to a temporary directory (/test_sub below) within the /html tree, then for security purposes, to have PHP move this file to outside the /html tree (/private_sub below) where it will remain unable to be read, written to or deleted except when the app requires PHP to do this. The app needs PHP to make any directory permission changes via chmod, and perhaps owner changes and group changes (preferably not the last two). Here is the directory structure and SUDO output to accomplish this: /var drwxr-xr-x 21 root root 4096 Dec 11 19:23 /var /www drwxrwsr-x 11 root www 4096 May 1 16:50 /var/www : /html drwxrwsr-x 5 root www 4096 Apr 25 19:51 /var/www/html : : /AWS_s drwxrwsr-x 8 ec2-user www 4096 May 1 16:54 /var/www/html/AWS_s : : : /test_dir drwxrwsrwx 3 ec2-user www 4096 May 1 16:52 /var/www/html/AWS_s/test_dir : : : : /test_sub drwxrwsrwx 4 ec2-user www 4096 May 1 23:14 /var/www/html/AWS_s/test_dir/test_sub : : : : : /test_file.txt -rw-r--r-- 1 ec2-user www 13 Apr 24 13:36 /var/www/html/AWS_s/test_dir/test_sub/test_file.txt : : /private_dir drwxrwxrwx 3 ec2-user www 4096 May 1 21:02 /var/www/private_dir : : /private_sub drwxrwxrwx 2 ec2-user www 4096 May 1 21:19 /var/www/private_dir/private_sub : : : /moved_file.txt -rw-r--r-- 1 ec2-user ec2-user 13 Apr 24 13:36 /var/www/private_dir/private_sub/moved_file.txt : : : /copied_file.txt -rw-r--r-- 1 apache apache 13 May 1 23:49 /var/www/private_dir/private_sub/copied_file.txt : : /private_sub2 drwxr-xr-x 2 apache apache 4096 May 2 00:18 /var/www/private_dir/private_sub2 The PHP scripts are run in the /test_sub directory. The default permissions for directories are drwx rws r-x 2775. Only when the /private directories are both set to 777 and the setgid is unset will they allow files to be written to them. When the two /test directories are set to the default of 775 with the setgid set, they allow files to be copied from them. However, when the move (rename) script is run, the delete function of the copy and delete process throws an error unless both /test directories are reset to 777 clearly allowing files to be deleted. I'm concerned that the /test and /private directories need to be 777, opening them up to bad actors. I've spent days researching and testing many options but have failed to resolve this. Clearly, I'm missing something fundamental here My questions: 1. Why do the two /test and the two /private directories need to have the 'other' set to rwx? I read that PHP uses group www and therefore that group www should allow the writes in the /private directories and the reads and deletes in the /test directories. 2. Why does copied_file.txt have owner:group as apache:apache instead of ec2-user:www and likewise when I mkdir /private_sub2 in PHP? 3. Why does moved_file.txt have owner:group ec2-user:ec2-user instead of ec2-user:www? 4. Why did PHP mkdir create the non-default permission 0755 in /private_sub2? 5. Why, using PHP, do chown, chgrp and chmod fail to make changes to /private_sub/moved_file.txt?
  2. And indeed, I may have changed gidset along the way, since the AWS_s and AWS_s/nm-app were created in Feb, whereas AWS_s/cr-app was created in Apr Nicely spotted Forgotten Administartor
  3. Perhaps this is why gidset wasn't set .. I'm not sure where I created each directory .. # Directory created on aws: # File has group www /bin/ls -latrd /var/www/test_dir_new_aws drwxrwsr-x 2 ec2-user www 4096 Apr 24 20:52 /var/www/test_dir_new_aws # Directory transferred by ftp: # File has group www /bin/ls -latrd /var/www/test_dir_new_ftp drwxr-xr-x 2 ec2-user www 4096 Apr 24 20:52 /var/www/test_dir_new_ftp
  4. drwxr-xr-x 6 ec2-user www 4096 Feb 25 22:14 /var/www/html/AWS_s drwxr-xr-x 7 ec2-user www 4096 Feb 24 20:29 /var/www/html/AWS_s/nm-app drwxr-xr-x 4 ec2-user ec2-user 4096 Apr 9 19:05 /var/www/html/AWS_s/cr-app nm-app and cr-app have the same parent AWS_s. The setgid is set in AWS_s's parent html. Why then do nm-app and cr-app's groups differ?
  5. Ok. As the user, I ran the following: mkdir /var/www/html/html-sub-dir-by-sudo /bin/ls -latrd /var/www/html/html-sub-dir-by-sudo drwxrwsr-x 2 ec2-user www 4096 Apr 24 19:09 /var/www/html/html-sub-dir-by-sudo id ec2-user uid=500(ec2-user) gid=500(ec2-user) groups=500(ec2-user),10(wheel),501(www) Still got www instead of ec2-user.
  6. I have an AWS EC2 linux instance running a PHP app for use by anyone from their browser, and developed by myself as owner. The directory tree is: /var /var/www /var/www/html /var/www/html/AWS_s /var/www/html/AWS_s/nm-app /var/www/html/AWS_s/cr-app The owner, groups & permissions are: drwxrwsr-x 10 root www 4096 Dec 25 01:03 /var/www drwxrwsr-x 5 root www 4096 Feb 26 22:42 /var/www/html drwxr-xr-x 6 ec2-user www 4096 Feb 25 22:14 /var/www/html/AWS_s drwxr-xr-x 7 ec2-user www 4096 Feb 24 20:29 /var/www/html/AWS_s/nm-app drwxr-xr-x 4 ec2-user ec2-user 4096 Apr 9 19:05 /var/www/html/AWS_s/cr-app Any ideas as to why /cr-app was automatically given the group ec2-user rather than the same group as nm-app which is www? I have not changed any groups.
  7. Thank you Jacques1 Along with the research that I've already done, that's exactly what I needed to know! I respect the research you have done over your career and appreciate your willingness to share it.
  8. I've been searching for sources to help me understand Linux Apache permissions from the PHP programmer's perspective getting only the rwx and 755 type descriptions and processes in abundance. What I need is a *source* that I can learn Linux permissions from the perspective of the *PHP programmer*, not for the Linux admin who has the box locally or remotely. I'd like to know, for example, when to give each of the three users which permissions for my PHP app's directories, data files and PHP scripts on the basis of heightening security.
  9. tork

    Permissions and PHP dev

    The /private and /data folders are 755. I didn't see any config files in cgi-bin (if that's what you're saying), and in the .config folder there's only a file called .keep which has no data in it (as far as I can tell).
  10. tork

    Permissions and PHP dev

    Thanks requinix. Here's a solution .. may help others .. [sc]=shortcut This is my directory structure: root /.config /.logs /[sc]public_html (points to /web) /[sc]my web site name without the .com (points to root) /web : /web/my web site folders Create private folders like this: /private /data /web (URL access can only read files from this folder on down, so the 2 folders above are private) Create include files in /private where they cannot be read by the browser but can include them with: require('../private/myIncludeFile.php'); The data goes in /data which needs world rw access and can be opened like this (example from w3schools): <?php $myfile = fopen("../data/webdictionary.txt", "r") or die("Unable to open file!"); echo fread($myfile,filesize("../data/webdictionary.txt")); fclose($myfile); ?> So the calling file within /web calls the include file in /private which reads the text file in /data. I tried getting the include file to run directly from the browser (not through the /web calling script) and it could not find the file. Also, I tried getting the text file from the /data text file directly from the browser and it couldn't find the file. This is what I expected to happen because only public files under the /web folder are accessible via a url. This means the folder structure makes the /web folder files safe against users who might try to gain access to /web files using uploads to /data files - hackers aside.
  11. tork

    Permissions and PHP dev

    So, should the 'not permitted to write' of 'group' and 'other' of a folder or file prevent anything being written to that folder or file except by the owner/user(7)? Or do I misunderstand?
  12. tork

    Permissions and PHP dev

    Ah! I'm too fast with checking once I create the folders. I just checked a new folder 10 minutes ago, and it did not show permissions. Yet now it does; 755. I guess the server's on valerian
  13. tork

    Permissions and PHP dev

    Strange. I just checked the properties of the uploads folder that I created 7 hours ago, and it now shows permissions and they are 755, with the user and group having the same id. To see if PHP (being subject to other) could upload the image file, I ran the upload test script again and it succeeded. Should the 'no permission to write' of group and other not prevent anything being written to that folder's files except by the owner/user (being 7)? Or do I misunderstand?
  14. tork

    Permissions and PHP dev

    I notice that the uploads directory does not show permissions, whereas all directories that I have created above it do show permissions. Those that were created by the host do not have permissions. Is all this normal?
  15. tork

    Permissions and PHP dev

    The permissions are 644. From the image file properties, the user (owner) and group have the same id.
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.