Folder Permission 755 and File Permission 644 safe ?

[smksa]

Hi,

I would like to request an assistant.

My server is configured to use SuPHP and PHP run as CGI.

May i know it is safe to have a folder permission 755 and file permission 644 ?

The reason i'm asking is that, i found out eventhough the folder permission is 755 and file permission 644, my joomla application seems able to write the uploaded file into the folder or alter a file that have 644 permission.

I'm thinking whether hackers also able to upload into that folder and alter the files from outside ?

Appreciates anybody advice or opinion.

Thank you
.

[logicsupport]

Hi ,

" May i know it is safe to have a folder permission 755 and file permission 644 ? " , Yes these permissions are safe under Suphp.


The following are the advantages of Suphp ( it should run as cgi )

* PHP runs as your user/group
* PHP files can have permissions of 640 (hiding things like passwords from other accounts)
* Files/folders written by PHP are written as user/group (no Apache or other global user)
* Custom php.ini file per site (can add/remove security options)


Please note that suPHP does not allow permissions 666 and 777. The new writable permissions are

Files: 644
Folders: 755

Also suphp will not allow to declare php variable through .htaccess. You can use php.ini file to declare php variables

Hope this helps

[smksa]

Hi,

Thanks for your clarification.

I found out eventhough the folder permission is 755 and file permission 644, my PHP Joomla application seems able to write the uploaded file into the folder that have 755 permission or alter a file that have 644 permission.

Does it also allow hacker to upload the hack page file into the 755 folder through the web ?

[sparek-3]

Does it also allow hacker to upload the hack page file into the 755 folder through the web ?

Yes, it would. Though this point should be moot if you keep your applications (scripts) up-to-date and stay up-to-date with the latest security advisories for those applications.

[smksa]

Yes, it would. Though this point should be moot if you keep your applications (scripts) up-to-date and stay up-to-date with the latest security advisories for those applications.

Does this means having folder permission 777 when using non-suPHP and having folder permission 755 when using suPHP will be the same ?

[sparek-3]

Does this means having folder permission 777 when using non-suPHP and having folder permission 755 when using suPHP will be the same ?

No.

If a server requires 777 permissions on folder in order for PHP to write to that folder, then your server is only as secure as the least secure account on that server.

If a server requires only 755 permissions for PHP uploads (i.e. with suPHP) then each account is on their own.

A couple of examples might illustrate this better.

Say a server has two accounts on it and that server is running PHP through Apache (i.e. no suPHP, 777 directories are required for PHP uploads). The two accounts are apples.com and oranges.com. apples.com is running a Gallery script, that requires the upload directory to have world-write enabled, permissions 777, but the owner of apples.com always keeps their Gallery script up-to-date and practices the best security policies. oranges.com on the other hand, they don't care about security. They are running an old Wordpress install, and old Joomla script, and perhaps some other scripts that they never used and never updated or removed.

When oranges.com gets hacked into because of the outdated scripts, those hackers may be able to place a PHP shell script onto the account, and they would then have access to write files into apples.com's upload directory, the directory on apples.com that has 777 permissions.

This doesn't seem quite fair, because apples.com was keeping their scripts up-to-date, yet their account was also being used in the exploit.



Now consider this same scenario where apples.com and oranges.com are on a server running suPHP. apples.com still has the Gallery script, but because suPHP is in use, the upload directory for the Gallery script can survive with permissions of 755.

Now when oranges.com gets hacked because of their old and outdated scripts, that hacker cannot upload anything onto the apples.com account because apples.com does not have any open directories. The hacker can go wild on the oranges.com account, upload and delete anything they want. But the blame always goes back to the owner of orange.com, why wasn't that person keeping their scripts up-to-date?

This is why, in my opinion, running a shared hosting server with suPHP is a better idea.

Now an extra word of advice with suPHP. In the above example, I would recommend that apples.com keep their Gallery scripts config file set with a permissions setting of 600 or even 400. The reason being, if the config file (the file that contains that Gallery's database login credentials) is using the default permission setting of 644, then the hacker from orange.com would still be able to read the config file (they would be able to READ any files that are set to 644 or above, just not write to them). This is why you should always create a MySQL username and password for accessing your MySQL databases, and NEVER use your main account username and password in your script's configuration files for accessing MySQL databases. If you do use your main account username and password in the config file, and the config file has a permission setting of 644, then hackers from orange.com would still be able to read the config file, get your login information, and then FTP into your account.

Hope this helps.

[smksa]

Wow!! great explanation.

Thank you sparek-3 !!