Jump to content

Seucirty and CHMOD 777 for php scripts


bambinou1980

Recommended Posts

Hello,

 

I would like to understand a little bit more about CHMOD777 please as I looked online and some say it is fine while other are against having a folder with 777.

 

Here is my problem.

 

I have an sms printer which requires access to a folder on my website in order to download all the orders in txt format.

All my orders are currently being appended to multiple .txt files in that specific folder which is in the public_html location, so if someone finds the folder he will be able to see all the orders in those .txt files.

 

My question is:

If my folder is CHMOD 777 could someone change the text content of my .txt file via the web, if yes how? I need to understand how this can happen in order to stop it, could you please tell me a little more about it and how can people hurt websites which have CHMOD777 on certain folders?

 

Thank you,

 

 

Link to comment
Share on other sites

First of all: Security doesn't work like this. You don't start with all possible privileges and then think about the damage this can cause. You start with zero privileges and then figure out what is required for the job. So you have it backwards.

 

Using 777 permissions on a folder means that every single account on the system (including the webserver) can create new files, delete existing files and list the folder content. Even worse: Since this is the document root, your webserver will probably execute any file ending with “.php”. So once an attacker has gained access to the folder (which probably isn't too hard in your case), they can create a malicious PHP script, execute it through your webserver and get deeper into the system. If you routinely use 777 permissions, you're now screwed.

 

Why on earth would you risk that?

 

To be honest, the whole approach doesn't make a terrible lot of sense to me. Is there any reason why you need physical text files all over the place? Can't you use a proper database and a PHP script which serves the data dynamically?

  • Like 1
Link to comment
Share on other sites

Hi Jacques,

 

This is a dedicated server with only 1 account and we do not share this server with anyone else.

I see 777 permissions in many php scripts I download, especially for pictures upload folders, this is why I wanted to ask this question. I have pretty much never downloaded a script that do not require CHMOD 777 for picture upload.

What would be the best way to allow some text to be appended to a .txt file on the server using a php script without having this .txt file CHMOD to 777, would you have a step by step on this please as I have created a php script last time and I just cannot append anything to this .txt file without chmoding it to 777 first.

 

Let's say my ftp account user is called "user xyz", why can't my php script that was uploaded with "user xyz" cannot write to anything in that "user xzy/public_html/folder/hello.txt" location without any CHMOD777((on the .txt file), I just do not understand this security part, this does not make sense to me as "user xyz" is already the owner of this web server account and the file itself was uploaded by user xyz.

 

In reply to your question regarding the .txt file, the sms printers work this way:

1)You append a line of text with *, ; and # symbols which are delimiters for the order items, prices and so on.

 

 

2)One order is defined by # at the start and # at the end.

 

3)Every 10 seconds the printer connects to a PHP file that has the username and password of the printer, if they both match, the php file serves the .txt file to the printer.

 

4)The printer recognize that a new order arrived by comparing the byte size of the .txt file of the last download vs the new download, if the byte size is different, the printer knows a new order is here. The order number is also being read by the printer and this number has to also be different from the last download.

 

5)The printer can only download 1024 bytes maximum per download, therefore if the .txt file is 1500 bytes, it will need 2 downloads to process the full order and 20 seconds in total.

 

 

In the instruction of such printer, it says to use a .txt file so the byte size of the order can be calculated by the printer.

 

When the order is fully downloaded and that no other orders have appended to the .txt file, the txt file has to be cleared.

 

The url that is pinged by the printer is hard coded inside the printer firmware.

 

I hope this explains a little better why we need to use a .txt file.

 

 

Thank you.

Edited by bambinou1980
Link to comment
Share on other sites

If somebody tells you that you need 777 permissions for uploads, then they clearly don't know what they're doing, and you probably shouldn't use their code.

 

Why should the group have any permissions? Why should “others” have any permissions? Why should the folder be readable (which enables directory listing)? Why should the individual files be executable when they clearly aren't supposed to contain code? At most, the upload directory would be executable + writable for the owner (300), and the invidual files would be writable + readable for the owner (600).

 

But again: Just because the printer expects plaintext content behind a “.txt” URL doesn't mean you physically need a text file. It should be perfectly possible and much easier to “emulate” the text file with a PHP script hiding behind that URL. The script can read the individual orders from a database and serve them as plaintext content. Anyway, if you disagree, we can leave it at that.

Link to comment
Share on other sites

Hi Jacques,

 

I think the part that really confuses me is the group and users part.

I am learning php at the moment, Linux is not an OS i have used before, I am still a bit lost onto what is the difference between a domain user, ftp user and script user, are they the same?

 

 

Are users and groups in Linux the same as the users you create via a cpanel or are they totally different?

 

I do not know if you have ever used a WHM panel on a dedicated server but is there a way to see a global picture of all the groups and users on the server?

I am reading about Wheel groups in the WHM, are they the same as Linux groups?

https://documentation.cpanel.net/display/ALD/Manage+Wheel+Group+Users

 

 

Let's say I create a PHP file right now in an ftp directory, will the owner of that file be the user linked to the cpanel account?

 

Thank you,

Link to comment
Share on other sites

I'm not familiar with those management panels, but you should be able to view the file properties and see exactly which user and group a particular file belongs to. All users are stored in /etc/passwd, and the groups are in /etc/group.

 

The upload directory should be assigned to the user and group of the webserver (usually something like www-data).

 

By the way, don't use FTP. It provides neither confidentiality nor integrity, so anybody who happens to sit between you and the server can read the traffic (including your password) and possibly even manipulate it. Use a modern, secure protocol like SFTP or SCP.

 

 

 

I am reading about Wheel groups in the WHM, are they the same as Linux groups?

https://documentation.cpanel.net/display/ALD/Manage+Wheel+Group+Users

 

There's a single system group called “wheel” which contains privileged administration users. Do not use this for regular users!

Link to comment
Share on other sites

Thank you Jacques, 

 

I will have to look deeper into this and check via ssh those folders. I will also look online and try to find some tutorials about users and groups for Linux systems,how to create or delete them and give them permissions.

Yes I am using sftp with FileZilla, I have always used it that way.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.