Securing a directory with 777 or 775 permissions
Posted by Stanislav Furman on July 6, 2014If in your project you have a publicly accessible directory that has full permissions (777), then it may cause serious security issues. An attacker may put an executable script or binary on your host and then run it remotely. This is a major security whole and it may lead to major problems if someone decides to attack your website.
However, sometimes on some shared webhosting servers you need have a folder that has risky 777 permissions (or, if possible, 775 which is a little bit better). As an example you can consider a folder where website users can upload their photos or images. In this case it opens a security whole for potential attackers. But, there are a few techniques that can help you to keep your website safe.
First of all, 777 permissions - is bad! Period! If you have control other your web server (e.g. you're using a VPS or dedicated server), then you need to create a group containing both Apache and FTP users as group members. Then set 775 permissions on the upload folder. This will give Apache and FTP users the ability to write their files in the folder.
The next step is setting the folder to allow only images to be accessed. This trick can work even on virtual shared web hosting andit uses .htaccess file. Simply put an .htaccess file to the upload folder and write the following code:
Order Allow,Deny
Deny from all
<Files "\.(jpg|jpeg|png|gif)$">
order deny,allow
allow from all
</Files>
Of course, you can use this technique for other types of files like *.pdf, *.txt, *.css, *.js, etc.
Keep your website safe! ;)
Comments
"A good example is a folder where website user can upload their photos or images." - why not to set this directory owner to web server username? It will let the server to write to this directory but will prevent other users from entering here.
For example:
chown apache:apache upload
chmod ug+rwx upload
chmod o-rwx upload
I totally agree with you.
I figured that the article needed some more details and have updated it. ;)
If Apache/PHP is set up properly, then image.jpg won't be parsed and executed as PHP file.
However, you are right, that publicly accessible folders can be used as a security hole. That's why only safe content should allowed in such folders.
Leave your comment