CHMOD security settings

[php_joe]

I have a webpage that some hacker managed to load a file onto.

 

My website's help support suggested that I should not use chmod 0777 since it is not secure.

 

However, I need to allow my site's visitors to open files & write information to them.

 

My question:

Is there a setting that will allow site members to create, open, write to, and delete files using my pages but will not allow them to create their own pages outside of my control?

[effigy]

Are these files ever executed? Is the path accessible to the user, i.e., they can type it into the address bar?

[Wildbug]

chmod dir to 555 or 755?

 

It might help also to restrict your world writeable files to a specific directory.

[php_joe]

Are these files ever executed? Is the path accessible to the user, i.e., they can type it into the address bar?

 

Some are, some are not. What I'm mainly worried about is someone injecting a file into a folder and using it to create new files or modify & damage existing files.

 

chmod dir to 555 or 755?

 

It might help also to restrict your world writeable files to a specific directory.

 

I'll try 555, thanks!

 

Do you know how to resitrict access to the folder so that files on my site can access it but visitors can not access it directly?

[Wildbug]

Do you know how to resitrict access to the folder so that files on my site can access it but visitors can not access it directly?

 

"Visitors" use PHP via the webserver to access your pages; they don't do it directly.  So whichever user the webserver runs under is who is accessing your filesystem and permissions+ownership will apply to that user.

 

Unless, by "visitors," you mean users who are actually logged on to your system, then you can set the permissions to 600 or something.

[effigy]

Are these files ever executed? Is the path accessible to the user, i.e., they can type it into the address bar?

 

Some are, some are not. What I'm mainly worried about is someone injecting a file into a folder and using it to create new files or modify & damage existing files.

 

Who controls the execution? What prevents a user from creating "file.txt", but adding a shebang line of "#!/usr/bin/perl" for example, and then executing their file?

[php_joe]

"Visitors" use PHP via the webserver to access your pages; they don't do it directly.  So whichever user the webserver runs under is who is accessing your filesystem and permissions+ownership will apply to that user.

 

I've seen websites that have a folder full of images. If you try to view the image directly then it redirects you or says "forbidden" but it still shows up on the webpages.

 

I tried changing the folder's permissions, but whenever I deny access to the folder all I get is a red X where the image on the webpage should be.

 

I know that I can put all the remote files in a secret folder. I'm just worried about some hacker guessing the member account's folder's name, or using a search program to find it.

[Wildbug]

I've seen websites that have a folder full of images. If you try to view the image directly then it redirects you or says "forbidden" but it still shows up on the webpages.

 

I think the only way to do that is through the webserver configuration, and it can still be overcome if a user can set the HTTP_REFERER value.  It can't be done via file permissions.  You'd have to set a rewrite rule or something in the httpd.conf file to only server images if requests come from a certain HTTP_REFERER value.  You can restrict directory listings in the httpd.conf (and possibly by turning read access off a directory but leaving it on the files inside the dir).

 

Your webserver is the user accessing the files on the system, regardless of if a user types in the address directly, clicks a link, or is "logged in" one of your web applications.  Whatever permissions you have set always refer to that user.