Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi, I have a php script uploading photos through a protected backend area to a public directory. Unfortunately, due to the settings of a server I have no control over ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2004
    Posts
    5

    working my way around a 0777 issue - would suid/guid help


    Hi,

    I have a php script uploading photos through a protected backend area to a public directory. Unfortunately, due to the settings of a server I have no control over the directory I write the photos to has to have its permissions set to 0777 to permit the script to create and write the files.

    Naturally, this is not really the way forward. I wonder if I can work around the problem using suid, guid etc??

    I don't have a very clear idea of what suid/guid can do, but I understand that one of the settings would allow files within a dir to be run as superuser?? Is this really the case?

    If my php file (which is in a .htaccess protected dir) had this permission level it should be able to write files to other areas of the server, right?

    Thanks

  2. #2
    Linux Enthusiast
    Join Date
    Jun 2002
    Location
    San Antonio
    Posts
    621
    Unless PHP is setup in CGI mode (it almost definately isn't) you can't run PHP setuid. The script will always execute as if the user running apache had run it. Therefore, all files/directories need to give access to the apache user.

    Short answer, no.

    Best,

    Samuel
    I respectfully decline the invitation to join your delusion.

  3. #3
    Linux Engineer Giro's Avatar
    Join Date
    Jul 2003
    Location
    England
    Posts
    1,219
    Do you have root access to the server?

  4. #4
    Just Joined!
    Join Date
    Nov 2004
    Posts
    5
    I have no root access to the server.

    Do you mean PHP would have to be set up on the server to run as CGI? Can I do anything via the script to influence that?

    Finally, do I have any options to setting permissions to 777?

    Thanks.

  5. #5
    Linux Enthusiast
    Join Date
    Jun 2002
    Location
    San Antonio
    Posts
    621
    You can't run PHP as CGI unless you have root access, and really know what you are doing. Besides that, you have no option besides setting the directory 777.

    Best,

    Samuel
    I respectfully decline the invitation to join your delusion.

  6. #6
    Just Joined!
    Join Date
    Nov 2004
    Posts
    5
    Thanks.

    In that case: ie if I leave settings at 777; who exactly can write to the directory? Is it *just* people who share the server?

    How would people discover the dir settings (I mean people who do not share the server) and how can this be exploited? I ask this with a view to ensuring minimum security to prevent such things happening.

    My setup will be:

    interactive scripts in .htaccess protected directories for managing photos

    pics in two public dirs set at 0777
    straightforward .php scripts in public dir to serve pages with photos

    Is there a standard good way to prevent code, that's passed to php scripts by hackers, from executing?

    Apologies for all these questions, I'm just trying to think of all the angles.

  7. #7
    Linux Enthusiast
    Join Date
    Jun 2002
    Location
    San Antonio
    Posts
    621
    Yes, only people that share this server would be able to see that these directories are 777. This is Generally Acceptable for file uploads, since allowing the public to upload files to that directory is _way_ more of a security issue than local users putting files in there.

    Also, this is good that you are actually looking around for standard holes people leave open. One thing you may want to do is ensure that the vhost configuration is set so that people can't execute PHP scripts/perl scripts/anything from these upload folders. They will probably need access to the images they are uploading (I am guessing they are avatars or something), so just turning off htaccess parsing, php parsing, and ExecCGI should do fine.

    I wouldn't use your PHP program for listing the files in the same directory. I would put the php script in question outside the 777 directory, and just have it "point" over there. You know what I mean? It may mean a bit of coding, but it will be waaaaay better security-wise.

    Best,

    Samuel
    I respectfully decline the invitation to join your delusion.

  8. #8
    Just Joined!
    Join Date
    Nov 2004
    Posts
    5
    Thanks for all the info Samuel!

    One thing you may want to do is ensure that the vhost configuration is set so that people can't execute PHP scripts/perl scripts/anything from these upload folders. They will probably need access to the images they are uploading (I am guessing they are avatars or something), so just turning off htaccess parsing, php parsing, and ExecCGI should do fine.
    Well the user (a guy who is travelling around and needs to upload his photos from remote locations) will upload the photos through a backend.

    There won't be any scripts at all in the upload directories.

    Okay, sorry to ask but it seems you know what you're talking about: so how do I ensure that the vhost config is set correctly (and how do I turn off htaccess/php/ExecCgi parsing etc?).

    I only have access to the account via FTP and Plesk.

    Thanks again Samuel, I've been asking this question on a number of forums and this is really the first useful response I've had.

  9. #9
    Linux Enthusiast
    Join Date
    Jun 2002
    Location
    San Antonio
    Posts
    621
    Ah Plesk To do this, you will need to have access to the conf directory, and/or ask the "big man in charge" to do something like this to change the htaccess issues on the upload directories:

    <Directory $UPLOADDIR>
    AllowOverride None
    RemoveHandler .php .php4 .phtml .pl .cgi
    Options -ExecCGI
    </Directory>

    You will have to make one of those for each directory that you uplaod to. Make sure that $UPLOADDIR is /home/httpd/vhosts/domain.com/httpdocs/where/you/upload . Then you put both of these Directory configurations in /home/httpd/vhosts/domain.com/conf/vhost.conf and run /usr/local/psa/admin/bin/websrvmng (this is assuming Plesk 7).

    This will turn off php, perl, executable files, and .htaccess files in said directory. Unfortunately, you are probably not allowed to do this as a "normal" Plesk user. You either need to have the Plesk admin take care of this, or have him grant you permissions to your conf directory, and have him run websrvmng once to ensure it is being included in the conf/httpd.include file

    Best,

    Samuel

    (PS I deal with Plesk on a daily basis, that is why I know all the ridiculous paths and crap)
    I respectfully decline the invitation to join your delusion.

  10. #10
    Just Joined!
    Join Date
    Nov 2004
    Posts
    5
    Thanks Samuel,

    I'll go ask the "big man in charge" - who until now has been ridiculously quiet on the whole issue.

    The guy I'm writing this stuff for has a "reseller" or multidomain account. I don't suppose this would give me access to the things you speak of.

    Anyway, thanks again for all the info!

    Ger

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •