The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

the tmp folder, apache and permissions

Discussion in 'Security' started by nacho66, Apr 13, 2011.

  1. nacho66

    nacho66 Registered

    Joined:
    Apr 13, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys

    I need a clear answer on how should the /tmp folder be setup? I have few php web sites, hosted within one WHM, which have a functional file upload form. /tmp is the default folder set up for php to drop temp files into. Owner of that folder is root and permission is 777. Is that the general idea behind it? Or should it rather be a specific owner, eg the same as Apache (or at least from the same group) with 711 permissions.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    The /tmp folder top-level should be owned by root with 1777 file permissions, which are set using:

    Code:
    chmod 1777 /tmp
    The 1 is the sticky bit, which means only the owner of the file can affect that file in /tmp location. Since you don't want other users able to access files they do not own in /tmp, you need to have that 1 at the beginning to ensure that happens.
     
  3. nacho66

    nacho66 Registered

    Joined:
    Apr 13, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    yes, 1777 is exactly what I have for /tmp folder. All files inside /tmp are owned by the user who uploads them (eg. web1 for website 1, web2 for website 2). So it seems I'm all set ok with that, right?

    I'm asking cause I've heard from my hosting company today that uploading temporary files to /tmp is a serious security risk
     
  4. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    10
    Trophy Points:
    18
    That is correct.

    I would ask them to elaborate on their statement. There definitely are situations where using /tmp (or any world writeable location) can pose risks, since anyone can write to that directory. However, the act of writing to /tmp is not necessarily more risky than writing a file to your own directory.

    Are the names of the files that you're uploading to /tmp unpredictable? For example, are you uploading files named "site.txt", or "site.txt.UBHkYOXAhZXI19789" (where "UBHkYOXAhZXI19789" is a random string that changes every single time you upload a file)?

    A good rule of thumb is that if you don't need to use world writeable locations such as /tmp - don't. If you do, be sure to use unpredictable file names.
     
  5. nacho66

    nacho66 Registered

    Joined:
    Apr 13, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Filenames are random and look like /tmp/phpcfFmpo
     
Loading...

Share This Page