Forum Moderators: phranque
Perhaps I am wrong but that seems quite open. What suggestions do you have to make sure the server does not get breached.
The only think I can think of, is to write the file and then change the permission to something less dangerous.
What do you tink, this sems a little lame to me.
The only reason I ask is I came across this:
[security.royans.net...]
whilst looking for information on World Writable directories.
Cheers
The webserver runs as it's own user ("nobody", "www", "www-data", "httpd", "apache" or "webuser" are all possibilities) and tries to read/write files based on the permissions of that user.
Directories that need to be 'writable' should have permissions 775 (group-writable) but must also have the "group" set to the webserver user.
eg.
chmod 775 uploads/
chgrp nobody uploads/
or a bit more advanced:
chmod -r 2775 uploads/
chgrp -r nobody uploads/
That means that only the owner (presumably you) and members of the webserver group (ie. the server-side script) can write to files, but anyone can read them.
That fills me with dread. It was one of the tech guys who told me this! Luckily this is not a mission critical website.
Thanks for your advice, I will act accordingly
If you do have file uploads, even without 777 permissions, you should make sure that the files can't be accessed directly by the web browser (hide the location and the filename using mod_rewrite or similar) and protect the upload directory by either moving it outside the 'public_html' tree and/or using a .htaccess file.
