...

View Full Version : Permissions dilemma



Scrumpy.Gums
11-15-2007, 02:39 PM
Hi all,
I want to open a file to store some data. However, when I use fopen('filename', w) I get permission denied. So, I've changed the permissions of the directory to get rid of the permission denied problem. Unfortunately, this seemed to require changing the directory to have permissions 777.

How much of a security risk is this? If its catastrophic, what's the best way around it?

thanks,
Scrumpy.Gums

rpgfan3233
11-15-2007, 04:02 PM
The least secure permissions should be 755 for pretty much anything except things such as .htaccess, which might best be 700 to give only the owner access to the file and everybody else, including Web browsers, would be forbidden from even attempting to read that file. 755 would give the owner of the file/directory full read-write-execute control while giving others the ability to read and execute, the minimum permissions needed to read a file from what I remember, though it has been a while since I messed with file permissions on an HTTP server.

Edit:
With regard to the security risk, if you give people write access, and they discover what FTP server the files are stored on (assuming your files are uploaded via FTP), they could FTP replacement files, making it appear to be hacked when all that they did was upload via FTP. Also, if this is your personal HTTP server and you have an FTP server running on the same machine (understandable if you're learning), the same thing could happen, except that it would be easier since a simple ping <http address> would return your IP address, which is most likely the same as the FTP server since it is on the same machine.

Inigoesdr
11-15-2007, 07:15 PM
How much of a security risk is this? If its catastrophic, what's the best way around it?
If you're on a shared server, or the directory is web-accessible then it's a fairly large risk. What you should do instead is find out why permission is denied. As rpgfan3233 stated, you shouldn't have to go any higher than 755. My guess is that the folder/file isn't owned by the same user as the web server trying to access it. chown it to the same user as the web server.

Also, if this is your personal HTTP server and you have an FTP server running on the same machine (understandable if you're learning), the same thing could happen, except that it would be easier since a simple ping <http address> would return your IP address, which is most likely the same as the FTP server since it is on the same machine.

It wouldn't necessarily be any easier.. most hosts have the FTP server on the same machine as the web server, and it's just as easy to find the IP for a remotely hosted site as one hosted on your local machine.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum