Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2008-03-21 18:11:23

rloaderro
Plugin Author
From: Costa Rica
Registered: 2006-01-05
Posts: 190
Website

Important Security Question

Hello,

In the FAQ it is recommended to set 777 (world-writeable) permissions to the images and files folder. I was recently contacted by my ISP because one of my TXP sites was hacked (excerpt from correspondence):

This has to do with insecurities within the web site.

There were two mod 777 directories — one of which hosted the
phishing site (http://mytxpsite.com/images/favicon/InternetBanking/welcome.jsp):

drwxrwxrwx  4 myuser mygroup   4096 Feb 15 17:11 files
drwxrwxrwx  3 myuser mygroup   4096 Mar 19 18:08 images

This is extremely insecure.

Additionally, the favicon directory, under the images directory, is
owned by the web server user (‘nobody.’)

I have changed permissions to 755 on the files and images directories
and changed ownership of ‘favicon,’ until this situation can be
addressed.

Now this is a shared hosting environment. So my question is – having the images and files folders 777 is actually a very bad thing to do? Should the FAQ be changed? Should I run to change the perms of other TXP sites as well? Anyone can lend me their wisdom? :)

Thanks!


Travel Atlas * Org | Start Somewhere

Offline

#2 2008-03-21 18:44:26

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

“a very bad thing to do” is an understatement. Your web host is correct in calling this “extremely insecure”, because that’s what it is.

I’ve updated the FAQ to warn people against using 777 permissions. In a decent hosting setup 711 permissions should be enough, because you don’t need read permissions on the directory itself (only execute permission) if you known the name of the file you want to access.

Offline

#3 2008-03-21 18:52:04

jstubbs
Moderator
From: Hong Kong
Registered: 2004-12-13
Posts: 2,392
Website

Re: Important Security Question

755 is the default option on most web hosts when creating new folders – that should be fine too, right?

Offline

#4 2008-03-21 19:01:13

rloaderro
Plugin Author
From: Costa Rica
Registered: 2006-01-05
Posts: 190
Website

Re: Important Security Question

ruud wrote:

“a very bad thing to do” is an understatement. Your web host is correct in calling this “extremely insecure”, because that’s what it is.

A question – so how would someone be able to write to those folders – even with the 777 mod? Would it be coming from a script executed from another domain hosted on the ISP? I mean – it has to come from the backend right? Also, if a parent folder is modded 700 and a child folder 777 – could someone still be able to write to the child folder – in other words, how do perms cascade? Thanks for your help!


Travel Atlas * Org | Start Somewhere

Offline

#5 2008-03-21 19:31:24

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

Directory permissions:
700 = only you can access the files in that directory
711 = others can read the files if they know the exact name of the file.
755 = others can read the directory contents to find out which files it contains and then read the file.
777 = others can read and write to the directory, erase files, add new files, read files. VERY INSECURE!

You need at least execute permission on a parent directory to be able to access the child directory, so if the parent is set to 700, then only the owner of that directory can access the parent directory…. but if that’s true, then it’s pointless to make set the child directory to 777.

755 is okay if you don’t mind others nosing around in your directory. 711 adds a bit of security by obscurity ;)
You need 755 if you have MultiViews enabled in Apache, so you can visit /path/to/file and it’s up to Apache to find out which extension that file should have (.php, .html, .gif, .png etc.) because that requires a list of files in the directory (too choose from), which implies read permission instead of just execute permission.

Offline

#6 2008-03-22 01:50:19

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,410

Re: Important Security Question

ruud,
maybe I misunderstood something but every time I install a new txp site the diagnostics warn me that the “images” and “file” directory are not writable and that I should set their permissions to 777

Offline

#7 2008-03-22 11:34:58

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

redbot, can you tell me if the owner of the directory itself is different from the owner of the files inside that directory?

Offline

#8 2008-03-22 12:17:16

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,410

Re: Important Security Question

ruud,
I beg your pardon for my shameless ignorance but I don’t understand what you mean.
All I can say is that I’m on a shared hosting and that my “images” and “file” directory are set to 777 (as I said I have to change the permissions to 777 – by default they’re set to 755) while all the files inside those directories are set to 644 so …ehm … I think you have to tell me exactly how I can answer your question… sorry.
And – obviously – thanks for your help.

Offline

#9 2008-03-22 12:29:52

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

Permissions and directory/file ownership are related. I suspect that in the same place where you can see the permissions, you can also see who owns the file. Quite often, the files/directories. are owned by the user(name) that uploaded/created the files. If you have to use 755 for the images directory, then I suspect the images directory is owned by your own username, while the image files themselves are owned by the webserver (www-data, nobody, etc.).

Offline

#10 2008-03-22 14:03:59

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,410

Re: Important Security Question

ruud wrote:

Permissions and directory/file ownership are related. I suspect that in the same place where you can see the permissions, you can also see who owns the file.

No, sorry, I’m using cpanel and I’ve the possibility to set permissions but I can’t see nothing related to “owners”

Quite often, the files/directories. are owned by the user(name) that uploaded/created the files. If you have to use 755 for the images directory, then I suspect the images directory is owned by your own username, while the image files themselves are owned by the webserver (www-data, nobody, etc.).

Ehm.. I said I have to use 777, not 755 for the images and files directory.

By the way, I checked an old site I have with another web hosting company (a very, very cheap one) and there is no such problem so the cause of it all must be the host I’m using now.
But that’s strange, I always thought this was a good host: I have a series of txp sites and never had a problem with them so – until I read this topic – I just thought it was normal that textpattern required those directories set to 777.

Offline

Board footer

Powered by FluxBB