The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Folder Permission 755 and File Permission 644 safe ?

Discussion in 'Security' started by smksa, Jul 13, 2009.

  1. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I would like to request an assistant.

    My server is configured to use SuPHP and PHP run as CGI.

    May i know it is safe to have a folder permission 755 and file permission 644 ?

    The reason i'm asking is that, i found out eventhough the folder permission is 755 and file permission 644, my joomla application seems able to write the uploaded file into the folder or alter a file that have 644 permission.

    I'm thinking whether hackers also able to upload into that folder and alter the files from outside ?

    Appreciates anybody advice or opinion.

    Thank you
    .
     
  2. logicsupport

    logicsupport Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    Hi ,

    " May i know it is safe to have a folder permission 755 and file permission 644 ? " , Yes these permissions are safe under Suphp.


    The following are the advantages of Suphp ( it should run as cgi )

    * PHP runs as your user/group
    * PHP files can have permissions of 640 (hiding things like passwords from other accounts)
    * Files/folders written by PHP are written as user/group (no Apache or other global user)
    * Custom php.ini file per site (can add/remove security options)


    Please note that suPHP does not allow permissions 666 and 777. The new writable permissions are

    Files: 644
    Folders: 755

    Also suphp will not allow to declare php variable through .htaccess. You can use php.ini file to declare php variables

    Hope this helps
     
  3. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Thanks for your clarification.

    I found out eventhough the folder permission is 755 and file permission 644, my PHP Joomla application seems able to write the uploaded file into the folder that have 755 permission or alter a file that have 644 permission.

    Does it also allow hacker to upload the hack page file into the 755 folder through the web ?
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Yes, it would. Though this point should be moot if you keep your applications (scripts) up-to-date and stay up-to-date with the latest security advisories for those applications.
     
  5. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1

    Does this means having folder permission 777 when using non-suPHP and having folder permission 755 when using suPHP will be the same ?
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    No.

    If a server requires 777 permissions on folder in order for PHP to write to that folder, then your server is only as secure as the least secure account on that server.

    If a server requires only 755 permissions for PHP uploads (i.e. with suPHP) then each account is on their own.

    A couple of examples might illustrate this better.

    Say a server has two accounts on it and that server is running PHP through Apache (i.e. no suPHP, 777 directories are required for PHP uploads). The two accounts are apples.com and oranges.com. apples.com is running a Gallery script, that requires the upload directory to have world-write enabled, permissions 777, but the owner of apples.com always keeps their Gallery script up-to-date and practices the best security policies. oranges.com on the other hand, they don't care about security. They are running an old Wordpress install, and old Joomla script, and perhaps some other scripts that they never used and never updated or removed.

    When oranges.com gets hacked into because of the outdated scripts, those hackers may be able to place a PHP shell script onto the account, and they would then have access to write files into apples.com's upload directory, the directory on apples.com that has 777 permissions.

    This doesn't seem quite fair, because apples.com was keeping their scripts up-to-date, yet their account was also being used in the exploit.



    Now consider this same scenario where apples.com and oranges.com are on a server running suPHP. apples.com still has the Gallery script, but because suPHP is in use, the upload directory for the Gallery script can survive with permissions of 755.

    Now when oranges.com gets hacked because of their old and outdated scripts, that hacker cannot upload anything onto the apples.com account because apples.com does not have any open directories. The hacker can go wild on the oranges.com account, upload and delete anything they want. But the blame always goes back to the owner of orange.com, why wasn't that person keeping their scripts up-to-date?

    This is why, in my opinion, running a shared hosting server with suPHP is a better idea.

    Now an extra word of advice with suPHP. In the above example, I would recommend that apples.com keep their Gallery scripts config file set with a permissions setting of 600 or even 400. The reason being, if the config file (the file that contains that Gallery's database login credentials) is using the default permission setting of 644, then the hacker from orange.com would still be able to read the config file (they would be able to READ any files that are set to 644 or above, just not write to them). This is why you should always create a MySQL username and password for accessing your MySQL databases, and NEVER use your main account username and password in your script's configuration files for accessing MySQL databases. If you do use your main account username and password in the config file, and the config file has a permission setting of 644, then hackers from orange.com would still be able to read the config file, get your login information, and then FTP into your account.

    Hope this helps.
     
  7. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Thanks

    Wow!! great explanation.

    Thank you sparek-3 !!:)
     
Loading...

Share This Page