Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Aug 2007
    Posts
    14
    Thanks
    3
    Thanked 1 Time in 1 Post

    Permissions dilemma

    Hi all,
    I want to open a file to store some data. However, when I use fopen('filename', w) I get permission denied. So, I've changed the permissions of the directory to get rid of the permission denied problem. Unfortunately, this seemed to require changing the directory to have permissions 777.

    How much of a security risk is this? If its catastrophic, what's the best way around it?

    thanks,
    Scrumpy.Gums
    "entia non sunt multiplicanda praeter necessitatem" - "Entities should not be multiplied beyond necessity" Occam's Razor

  • #2
    Regular Coder
    Join Date
    Mar 2005
    Location
    D0u$h!t3 k4?
    Posts
    512
    Thanks
    2
    Thanked 5 Times in 5 Posts
    The least secure permissions should be 755 for pretty much anything except things such as .htaccess, which might best be 700 to give only the owner access to the file and everybody else, including Web browsers, would be forbidden from even attempting to read that file. 755 would give the owner of the file/directory full read-write-execute control while giving others the ability to read and execute, the minimum permissions needed to read a file from what I remember, though it has been a while since I messed with file permissions on an HTTP server.

    Edit:
    With regard to the security risk, if you give people write access, and they discover what FTP server the files are stored on (assuming your files are uploaded via FTP), they could FTP replacement files, making it appear to be hacked when all that they did was upload via FTP. Also, if this is your personal HTTP server and you have an FTP server running on the same machine (understandable if you're learning), the same thing could happen, except that it would be easier since a simple ping <http address> would return your IP address, which is most likely the same as the FTP server since it is on the same machine.
    Last edited by rpgfan3233; 11-15-2007 at 03:07 PM.
    PHP Code:
    $hello file_get_contents('hello.txt'); echo $hello
    hello

  • Users who have thanked rpgfan3233 for this post:

    Scrumpy.Gums (11-15-2007)

  • #3
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    Quote Originally Posted by Scrumpy.Gums View Post
    How much of a security risk is this? If its catastrophic, what's the best way around it?
    If you're on a shared server, or the directory is web-accessible then it's a fairly large risk. What you should do instead is find out why permission is denied. As rpgfan3233 stated, you shouldn't have to go any higher than 755. My guess is that the folder/file isn't owned by the same user as the web server trying to access it. chown it to the same user as the web server.
    Quote Originally Posted by rpgfan3233 View Post
    Also, if this is your personal HTTP server and you have an FTP server running on the same machine (understandable if you're learning), the same thing could happen, except that it would be easier since a simple ping <http address> would return your IP address, which is most likely the same as the FTP server since it is on the same machine.
    It wouldn't necessarily be any easier.. most hosts have the FTP server on the same machine as the web server, and it's just as easy to find the IP for a remotely hosted site as one hosted on your local machine.

  • Users who have thanked Inigoesdr for this post:

    Scrumpy.Gums (11-15-2007)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •