working my way around a 0777 issue - would suid/guid help

[manichaen]

Hi,

I have a php script uploading photos through a protected backend area to a public directory. Unfortunately, due to the settings of a server I have no control over the directory I write the photos to has to have its permissions set to 0777 to permit the script to create and write the files.

Naturally, this is not really the way forward. I wonder if I can work around the problem using suid, guid etc??

I don't have a very clear idea of what suid/guid can do, but I understand that one of the settings would allow files within a dir to be run as superuser?? Is this really the case?

If my php file (which is in a .htaccess protected dir) had this permission level it should be able to write files to other areas of the server, right?

Thanks

[wassy121]

Unless PHP is setup in CGI mode (it almost definately isn't) you can't run PHP setuid. The script will always execute as if the user running apache had run it. Therefore, all files/directories need to give access to the apache user.

Short answer, no.

Best,

Samuel

[Giro]

Do you have root access to the server?

[manichaen]

I have no root access to the server.

Do you mean PHP would have to be set up on the server to run as CGI? Can I do anything via the script to influence that?

Finally, do I have any options to setting permissions to 777?

Thanks.

[wassy121]

You can't run PHP as CGI unless you have root access, and really know what you are doing. Besides that, you have no option besides setting the directory 777.

Best,

Samuel

[manichaen]

Thanks.

In that case: ie if I leave settings at 777; who exactly can write to the directory? Is it *just* people who share the server?

How would people discover the dir settings (I mean people who do not share the server) and how can this be exploited? I ask this with a view to ensuring minimum security to prevent such things happening.

My setup will be:

interactive scripts in .htaccess protected directories for managing photos

pics in two public dirs set at 0777
straightforward .php scripts in public dir to serve pages with photos

Is there a standard good way to prevent code, that's passed to php scripts by hackers, from executing?

Apologies for all these questions, I'm just trying to think of all the angles.

[wassy121]

Yes, only people that share this server would be able to see that these directories are 777. This is Generally Acceptable for file uploads, since allowing the public to upload files to that directory is _way_ more of a security issue than local users putting files in there.

Also, this is good that you are actually looking around for standard holes people leave open. One thing you may want to do is ensure that the vhost configuration is set so that people can't execute PHP scripts/perl scripts/anything from these upload folders. They will probably need access to the images they are uploading (I am guessing they are avatars or something), so just turning off htaccess parsing, php parsing, and ExecCGI should do fine.

I wouldn't use your PHP program for listing the files in the same directory. I would put the php script in question outside the 777 directory, and just have it "point" over there. You know what I mean? It may mean a bit of coding, but it will be waaaaay better security-wise.

Best,

Samuel

[manichaen]

Thanks for all the info Samuel!

One thing you may want to do is ensure that the vhost configuration is set so that people can't execute PHP scripts/perl scripts/anything from these upload folders. They will probably need access to the images they are uploading (I am guessing they are avatars or something), so just turning off htaccess parsing, php parsing, and ExecCGI should do fine.

Well the user (a guy who is travelling around and needs to upload his photos from remote locations) will upload the photos through a backend.

There won't be any scripts at all in the upload directories.

Okay, sorry to ask but it seems you know what you're talking about: so how do I ensure that the vhost config is set correctly (and how do I turn off htaccess/php/ExecCgi parsing etc?).

I only have access to the account via FTP and Plesk.

Thanks again Samuel, I've been asking this question on a number of forums and this is really the first useful response I've had.

[wassy121]

Ah Plesk To do this, you will need to have access to the conf directory, and/or ask the "big man in charge" to do something like this to change the htaccess issues on the upload directories:

<Directory $UPLOADDIR>
AllowOverride None
RemoveHandler .php .php4 .phtml .pl .cgi
Options -ExecCGI
</Directory>

You will have to make one of those for each directory that you uplaod to. Make sure that $UPLOADDIR is /home/httpd/vhosts/domain.com/httpdocs/where/you/upload . Then you put both of these Directory configurations in /home/httpd/vhosts/domain.com/conf/vhost.conf and run /usr/local/psa/admin/bin/websrvmng (this is assuming Plesk 7).

This will turn off php, perl, executable files, and .htaccess files in said directory. Unfortunately, you are probably not allowed to do this as a "normal" Plesk user. You either need to have the Plesk admin take care of this, or have him grant you permissions to your conf directory, and have him run websrvmng once to ensure it is being included in the conf/httpd.include file

Best,

Samuel

(PS I deal with Plesk on a daily basis, that is why I know all the ridiculous paths and crap)

[manichaen]

Thanks Samuel,

I'll go ask the "big man in charge" - who until now has been ridiculously quiet on the whole issue.

The guy I'm writing this stuff for has a "reseller" or multidomain account. I don't suppose this would give me access to the things you speak of.

Anyway, thanks again for all the info!

Ger