Reputation: 455
File permissions and security
In my CMS, I have a PHP script that opens a .htm file for writing - fopen('footer.htm', 'w+'). This works with file permissions set to 666 on footer.htm, but doesn't work if set to 664.
Am I leaving this file open to abuse or hacking by setting the public permission to 'write'?
I am using an Apache virtual server.
Upvotes: 0
Views: 82
Answers (1)
Reputation: 627
That depends.
To modify the file, an attacker must be able to execute some kind of code on the server, e.g. have shell access. If this is the case, the permission is your smallest problem.
If you are on a shared hosting environment (other customers you don't know use your webserver) these other users possibly can change the file too, if your provider did not setup their security right and they know the path.
It is just not considered best practice to set 666 permissions. However most of these kind of attacks happen over your webserver, so restriscting the permission do not solve the problem, as the server needs to have write access.
So what you can do: Change the mode to 664 and change the group to that of the webserver is running in - other users may still have write access by using the webserver.
What you should do: Ensure that no malicious code is written into that file. If I find code like that I'm very confident to find a persistant cross-site scripting vulnerability.
Upvotes: 1
Related Questions
- How does .NET security really work?
- System.Security.Permission.FileIOPermission
- What Really Protects File Priveleges?
- CHMOD and the security for the directories on my server
- FileIOPermissionAccess and ACL in FileIOPermission
- Loose directory/file permissions: pitfalls, security issues?
- File permissions
- java security manager
- Folder permissions
- Setting Folder permissions on Vista