The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How To Scan For Files/Folders With 777 Permissions

Discussion in 'Security' started by Doug E, Mar 27, 2010.

  1. Doug E

    Doug E Well-Known Member

    Joined:
    Aug 17, 2005
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    I just finished adding suphp to my server and now I'm having trouble with an old script that used 777 permissions.

    I have this script installed on over 40 domains and there are too many folders to go in and change to 755 by hand.

    Is there a command I can use in SSH to find and change files and folders from 777 to 755?

    Outside of my scripts is their anything that is 777 that should stay 777?

    Also, is there some sort of a security option or add-on in WHM that can check for insecure 777 permissions?
     
  2. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    You will have to use below mentioned commands to change the permissions:

    To change the permissions of the files you will have to type below mentioned command at your command prompt:

    find /home/username/public_html -name “*.php” -exec chmod 644 {} \;

    To change the permissions of the folders and sub folders you will have to type below mentioned command at your command prompt:

    find /home/username/public_html -type d -exec chmod 755 {} \;
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I have a program that will not only set your correct permissions for SuPHP for all your files and folders but will also check the programming of all your scripts and make sure you don't have any chmod or mkdir calls incorrectly attempting to set 777 permissions and I'd be glad to share that with you if you think it might be of use to you.

    The correct permissions for SuPHP incidentally are as follows:

    0600 PHP Scripts
    0755 Non-PHP Scripts (*.cgi, *.pl, *.pm, *.py, *.e)
    0644 Non-Script Files (Images, CSS, HTML, Templates, Etc)
    0755 All Folders (Any folder you would find below public_html)

    I don't recommend blindly changing your files to 755 (see above) but there should not be any problem doing that with folders. For certain security reasons, I generally prefers the 'xargs' route over exec() calls but you could go either way:
    Code:
    find /home/*/public_html -type d -perm 777 | xargs chmod 0755 --
    
    No, nothing should be 777 under either SuPHP or FCGI not only for security reasons but also because you will break your scripts and web sites if you set anything to 777 at all.

    Best case scenario is performance slow downs if something is 777 and worst case scenario (ignoring the obvious getting hacked) is your site going down with Error 500 because of 777 permissions being set anywhere.

    Sure is! Contact me if you need a copy of that.
     
    bornonline likes this.
  4. Doug E

    Doug E Well-Known Member

    Joined:
    Aug 17, 2005
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the replies gents!

    Spiral I've just sent you a private message with my contact info, I may have to take you up on your program offer :)
     
  5. MadysonBelinda

    MadysonBelinda Registered

    Joined:
    Apr 4, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Ironically if you implement a fileupload in your script, the upload wouldnt work for any other permissions other 777 or else your upload will fail. So you will be forced to set 777 permission for your writable folders.

    Alternatively, to secure your server you can implement the following checks to in your PHP script as well as in your server. Remember if you are in shared hosting plan you might be limited in running as root.



    The proposed first method is best suited for shared hosts and the second well suited for those who own your own servers with (dedicated or vps plan)
    METHOD 1:

    1. Assign 775 permission to upload folder
    2. Check the file using PHP functions (if its photo upload)
    3. Disable directory indexes and script exection using .htaccess
    4. Place the upload folder outside WWW root.
    Upload Folder outside WWW Root

    The simple way is to secure your contents is moving your folder outside WWW root. If you run Cpanel its public_html and in plesk its httpdocs. In this way the contents of your writable folder will not be revealed to outside public. Remember it is still writable.

    Inside your PHP script you can access the folder something like to the folder above your WWW root

    ./uploads

    <img src="./uploads/photo.gif>

    Still, anybody could upload a malicious sript and run on your server. For that place a .htaccess file inside your uploads folder to disable CGI execution. This works well if you are in shared hosting plan
    Disable Script Execution an Hide Indexes with .htaccess

    Just create .htaccess file with contents below and place it on the uploads folder to disable running malicious scripts. Hiding the folder contents can be pretty useful from security point of view. The Options -Indexes line in .htaccess would accomplish disabling the indexes.

    Tip: Try assigning the upload folder 775 permission instead of 777. It works sometimes.

    Options -Indexes
    Options -ExecCGI
    AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

    Disabling executing of these files could give us an extra layer of protection.

    Further if you are allowing your users only photos or picturer, you can restrict other files by placing the following code your your .htaccess file.

    <Files ^(*.jpeg|*.jpg|*.png|*.gif)>
    order deny,allow
    deny from all
    </Files>
    Using PHP Functions to Check Uploaded File

    The first thing implement a secure file upload, you have to check the uploaded file for its size and type of file. Because your upload folder permission is 777, your site user are free to upload anything. It could also be a VIRUS!

    1. Check for type of file upload and deny uploading other files.
    2. Restrict its size.

    If you are allowing your users to upload image files (jpg,gif,png) the trick is using getimagesize() function with PHP. If the uploaded file is really image file then it returns true as otherwise it fails. getimagesize() function returns width, height and type. Also dont forget to check for width and height of uploaded image file to restrict certain dimensions.

    <?php

    // check for uploaded file size

    if ($_FILES['imagefile']['size'] > 50000 )
    {
    die ("ERROR: Large File Size");

    }

    //check if its image file

    if (!getimagesize($_FILES['imagefile']['tmp_name']))
    { echo "Invalid Image File...";
    exit();
    }

    // restrict width and height if its image or photo file

    list($width, $height, $type, $attr) = getimagesize($_FILES['imagefile']['tmp_name']);

    if ($width > 100 || $height > 100)
    {
    echo "Maximum width and height exceeded. Please upload images below 100x100 px size";
    exit();
    }

    $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py");
    foreach ($blacklist as $file)
    {
    if(preg_match("/$file\$/i", $_FILES['userfile']['name']))
    {
    echo "ERROR: Uploading executable files Not Allowed\n";
    exit;
    }
    }

    ?>

    Should you need to deny uploading of upload files, you can create a blacklist of files in an array and loop over to check the header. Remember not to trust browser header and the headers could also be easily faked. NOTE: Above getimagesize() and checking for blacklisting the uploaded files, both the methods can be bypassed. More information here. Link: http://www.scanit.be/uploads/php-file-upload.pdf
    Generate Random File Names

    When you place any uploaded files in your upload folder, rename the file to some random names and track the filename in the database. It can be of md5() hash or any randomly generated numbers or string.
    How to Read & Display the Photo Files?

    Remember once you have moved the folder outside the root, the best way of outputting the files (i assume images) is write a PHP script (call it getimage.php), read the file and send desired headers to the browser. See the example below. I am assuming that you have a image file in the upload folder and the method for reading is below...

    // this is just example only

    $imgfile = $rsPhoto['photo']; // or value from database

    list($width, $height, $type, $attr) = getimagesize($imgfile);

    switch ($type)
    {

    case 1: $im = imagecreatefromgif($imgfile);
    header("Content-type: image/gif");
    break;

    case 2:
    $im = imagecreatefromjpeg($imgfile);
    header("Content-type: image/jpeg");
    break;

    case 3:
    $im = imagecreatefrompng($imgfile);
    header("Content-type: image/png");
    break;

    }
    METHOD 2:

    The best way of handling file uploads securely is rather than giving writable permissions to users, is to allow the writable permission to apache itself. In this way the apache server has writable permission rather than the user. Just chown the writable folder to apache or nobody and assign 770 permission.

    In this way the public has no access to read or write or execute permissions in the uploads folder. You will notice that apache has rwx and so as the owner. You can safely place the upload folder inside www folder without any concern.

    chown -R apache uploads
    chmod -R 770 uploads

    If anybody tries to access the uploads folder, through URL you will see forbidden. Because apache is the grou owner you will have no problem in displaying the images or photos to the browser.

    <img src="uploads/file02929.gif">

    This method works best if you have your own dedicated or vps plan with root permissions.
    Using SuPHP / PHPSuExec

    If you have suphp compiled with CGI version of PHP you might be able to run PHP with server previleges for writing upload folder. This is also another method. You can download suphp free for download. This is another workaround for the above method.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    MadysonBelinda:

    Just a clarification to everyone regarding your post ....

    Everything you wrote in you post regarding permissions and ownerships pertains only to servers running Apache module (DSO) based PHP and are not really applicable and even wrong for other PHP platforms.

    I point this out because you make a lot of mention of SuPHP and what you wrote is incorrect for SuPHP but would be correct instructions for DSO.
     
Loading...

Share This Page