Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
985 views
in Technique[技术] by (71.8m points)

security - Can people write a .php file to my chmod 777 folder

Is it possible for hackers ( or other ) to upload/write a php file to a folder on my site that has chmod 777?

Example:

I have a folder that has chmod 777. That folder contains images. I use .htaccess to block indexing the folder.

Reformed question: Can people write a .php file to my folder that has chmod 777 by using a PHP script on their website? For example , to list all the images in that folder

( I'm familiar with the right chmod for uploading folder etc .. , just asking it hypotheticaly )

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Chances are very good that any legitimate user of that machine can write .php files, or anything else they want, to that wide-open directory. A 777 directory has almost no place on a shared host. (/tmp may sometimes be 1777, to set the sticky bit on the directory -- that allows only a file owner to delete a file in the directory. Normally, 777 means anyone can delete any file from the directory. But /tmp has definitely fallen out of favor on shared hosting environments because it is inherently unsafe.)

So: Are you the only user on the machine? Or is this machine shared with anyone else? Does this machine run any other services besides web server? If so, those other services might represent a possible attack vector as well.

Furthermore, if your permissions are set to 777 on your directory I wonder just how safe the PHP files you're running are -- I've seen many cases of people running insecure PHP scripts that allow an attacker to modify every HTML file on the entire web server, to infect people browsing the site. (Yes. Many. More than a handful by a lot.)

This is why whichever user account your web server runs as should not own any of the files of the website -- both static pages and dynamic pages. The web server should have only enough write privileges to write its access.log, error.log, and talk with a database server. Any additional privileges beyond this makes it far to easy for an otherwise benign bug in one of your scripts to become an exploitable vulnerability that allows your site to be used for attacking others.

777 is a bad idea. Fix that. Make sure your web server does not have write permission to any of the web content. Make sure no other service on the server has write permission to your web content. Make sure no other users on the server have write permission to your web content.

Update

This is easier than it sounds. Create a new webcontent user. If your web server already has a group of its own, lets use it and call it webgroup. If it doesn't yet, create a new webgroup as well. (adduser(8) and addgroup(8) if your VPS doesn't have its own mechanism.) Then set the owner for all your web content:

chown -R webcontent:webgroup /path/to/web/content

fix permissions:

find /path/to/web/content -type d -print0 | xargs -0 chmod 750
find /path/to/web/content -type f -print0 | xargs -0 chmod 640

then make sure your web server is using the Group webgroup directive to ensure that it can still read all the files it needs.

This will let your web server have read access to all your scripts and configuration, but if the web server itself is hacked, it can't modify any of it.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...