PDA

View Full Version : Managing File System w/ PHP.... what permissions should I use?


ViN86
06-19-07, 09:04 AM
im working with PHP and need to be able to create folders and store/retrieve files from the folder. my server is a linux box, running Slackware 11.0.

what permissions do i set to allow PHP to have full access to the folder, while keeping my system secure?

thx :)

evilghost
06-19-07, 09:26 AM
PHP runs under the security context of the webserver. On Ubuntu it's www-data, on CentOS it's apache.

You'll need to set group/owner correctly on the files/folders you want PHP to have access do, depending on the need. You could use mod_suexec but I wouldn't recommend that.

I'd recommend looking at installing Suhosin to compensate for some of the PHP security flaws.

Modules I use:
eAccelerator - PHP optimization and caching, http://eaccelerator.net/
Suhosin - PHP security module, http://www.hardened-php.net/suhosin.127.html
mod_deflate - Gzip content on the fly for HTTP 1.1 clients, http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
mod_evasive - Protection from misbehaving clients and DoS attacks, http://www.zdziarski.com/projects/mod_evasive/
mod_security - Protection from script kiddies and bots, http://www.modsecurity.org/ with select rules from http://www.gotroot.com/

Applications I use:
fail2ban - Ban clients after 10 404's or auth fails, http://fail2ban.sourceforge.net/

evilghost
06-19-07, 09:55 AM
For additional security I recommend these php.ini changes to protect against information disclosure, RFI (remote file inclusion), and other attacks:

suhosin.executor.include.max_traversal=4
display_errors = Off
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

I also recommend setting ProductTokens to ServerOnly in your Apache configuration or using mod_security to obfuscate the server banner.

ViN86
06-19-07, 10:47 AM
thx ghost :D

i found that with the distro im running, httpd (the apache daemon) is run by the user "nobody" in the group "nobody"

changed permissions and set the owner as "nobody" and voila, it works. thx :D

("ps -aux" is my friend lol)