tags:

views:

447

answers:

4
+1  Q: 

CHMOD and the security for the directories on my server

I have a folder on my server on which I have changed the permissions to 777 (read, write and execute all) to allow users to upload their pictures. What are the security risks involved in this? I have implemented code to restrict what file formats can be uploaded, but what would happen if someone was to find the location of the directory, can this pose any threat to my server? Can they start uploading any files they desire?

Thanks, Ben

A: 

If nothing else, I would remove the executable permissions for all users (if not owner and group as well). With this enabled, someone could upload a file that looks like a picture but is really an executable, which might cause no end of damage.

Possibly remove the read and write permissions for all users as well and restrict it to just owner and group, unless you need anonymous access.

samoz  2009-02-26 02:30:12
Hi samoz, thanks for the reply. When it says user/group and then everyone - who falls under what group? i am assuming i am the owner?
Ben McRae  2009-02-26 02:33:06
what does the eXecutable flag on a directory have to do with disguising executables as images?
hop  2009-02-26 02:34:42
also what does it mean by executable, as in executing programs?
Ben McRae  2009-02-26 02:34:50
The executable flag decides whether or not you can execute code or not. If this flag is off, even if you disguise an executable as an image, you can't run it, which is ideal.
samoz  2009-02-26 14:01:12
a) this is not true. there are tricks to execute code even without +x; b) we are talking about the permissions of a directory, not a file.
hop  2009-02-26 15:55:01
A: 

You do not want the executable bit on. As far as *nix goes, the executable bit means you can actually run the file. So, for example, php scripts can be uploaded as type JPEG, and then someone can run that script if they know the location and it's within the web directory.

Nerdling  2009-02-26 02:48:35
The folder permissions are 777 - not necessarily the file permissions. I agree, files do not need execute in general; folders do as you cannot access the files inside without execute (search) permission.
Jonathan Leffler  2009-03-02 07:37:25
+1  A: 

By what means are these users uploading their pictures? If it's over the web, then you only need to give the web server or the CGI script user access to the folder.

The biggest danger here is that users can overwrite other users files, or delete other users files. Nobody without access to this folder will be able to write to it (unless you have some kind of guest/anonymous user).

If you need a directory that everyone can create files in, what you want is to mimic the permissions of the /tmp directory.

$ chown root:root dir; chmod 777 dir; chmod +t dir;

This way any user can create a file, but they cannot delete files owned by other users.

Contrary to what others have said, the executable bit on a directory in unix systems means you can make that directory your current directory (cd to it). It has nothing to do with executing (execution of a directory is meaningless). If you remove the executable bit, nobody will be able to 'cd' to it.

ebencooke  2009-02-26 02:49:56
Not quite right on the directory x-bit, but close enough.
paxdiablo  2009-02-26 02:55:56
I know chdir() will fail with EACCES if the dir is -x. It might control other things?
ebencooke  2009-02-26 03:02:41
Thank you for the reply. The user's will be uploading through a form in a php document. When you say without access to this folder, theoretically any who has an account on my website will have access to upload there pictures?Who falls under the category of a guest/anonymous user?Thanks for your help
Ben McRae  2009-02-26 03:04:53
@eben, it basically controls the ability to look inside the directory "file" so "cd dir" will fail. Also "find dir -print" will not work, or "ls dir/*". You can still get at the *files* if you know their names (such as "cat dir/known_file").
paxdiablo  2009-02-26 04:14:33
Assuming the file permissions allow it of course :-)
paxdiablo  2009-02-26 04:15:09
@Pax: not quite; you need x permission on a directory to access the files; you need r permission on a directory to read the directory (and list the files with 'ls', for example). You're right that if you know the name, you only need x permission on the directory and the name/permissions on the file.
Jonathan Leffler  2009-02-26 05:14:27
Sorry, @JL, you're right. R gets you the ability to read the directory, you still need X to get at the files within.
paxdiablo  2009-02-26 07:23:22
@Ben: If you're using a PHP script, then the only account on the server that needs write permission to that folder is the one under which the PHP script is running. Probably this is 'www' or some such. By an account, I meant a login shell, or an ftp account. 'Account on website' is too vague.
ebencooke  2009-02-26 15:44:50
@ebencooke, sorry you are right, i didnt really explain my question to well in the first place. No one except from myself will have access to shell, ftp or anything like that! I didnt really understand how far this question could really go before i posted it. i will edit the original question!
Ben McRae  2009-02-26 21:04:12
+1  A: 

When users are uploading files to your server through a web form and some PHP script, the disk access on the server happens with the user id the web server is running under (usually nobody, www-data, apache, _httpd or even root).

Note here, that this single user id is used, regardless of which user uploads the file.

As long as there are no local users accessing the system by other means (ssh, for example), setting the upload directories permissions to 0777 would make not much of a difference -- appart from somebody exploiting a security vulnerability somewhere else in your system there's no one those permissions apply to anyway, and such an attacker would probably just use /tmp.

It is always good practice to set only those permissions on a file or directory that are actually needed. In this case that means probably something like:

drwxrws--- 5 www-data www-data          4096 Nov 17 16:44 upload/

I'm assuming that other local users besides the web server will want to access those files, like the sysadmin or a web designer. Add those users to the group your web server runs under and they don't need sudo or root privileges to access that directory. Also, the +s means that new files and directories in upload/ will automatically be owned by the same group.

As to your last question: just because an attacker knows where the directory is, doesn't mean he can magically make files appear there. There still has to be some sort of service running that accepts files and stores them there... so no, setting the permissions to 0777 doesn't directly make it any less safe.

Still, there are several more dimensions to "safety" and "security" that you cannot address with file permissions in this whole setup:

  • uploaders can still overwrite each others files because they all work with the same user id
  • somebody can upload a malicious PHP script to the upload directory and run it from there, possibly exploit other vulnerabilities on your system and gain root access
  • somebody can use your server to distribute child porn
  • somebody could run a phishing site from your server after uploading a lookalike of paypal.com

...and there are probably more. Some of those problems you may have addressed in your upload script, but then again, understanding of unix file permissions and where they apply comes usually waaaay at the beginning when learning about security issues, which shows that you are probably not ready yet to tackle all of the possible problems.

Have your code looked at by somebody!

hop  2009-02-26 12:26:30
Thank you for that great post, i am 19 years old and have only been coding PHP for 9 months - im not trying to use that as an excuse though, i just never really understood to what extent security goes, but its alot bigger than i thought. Thank you, i have alot of research to do!
Ben McRae  2009-02-26 21:36:06
ooo and one more thing, with regards to a user uploading a malicousa php file. do you know any good ways i can prevent this? would be very very helpful indeed! thanks again.
Ben McRae  2009-02-26 21:37:29
ask this in another question, referencing this one, and i'll try to answer it. there are a few things you can do to avoid trouble.
hop  2009-02-27 13:04:22

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security