nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   Software Development (http://www.nvnews.net/vbulletin/forumdisplay.php?f=53)
-   -   Managing File System w/ PHP.... what permissions should I use? (http://www.nvnews.net/vbulletin/showthread.php?t=93476)

ViN86 06-19-07 08:04 AM
Managing File System w/ PHP.... what permissions should I use?
 
im working with PHP and need to be able to create folders and store/retrieve files from the folder. my server is a linux box, running Slackware 11.0.

what permissions do i set to allow PHP to have full access to the folder, while keeping my system secure?

thx :)

evilghost 06-19-07 08:26 AM
Re: Managing File System w/ PHP.... what permissions should I use?
 
PHP runs under the security context of the webserver. On Ubuntu it's www-data, on CentOS it's apache.

You'll need to set group/owner correctly on the files/folders you want PHP to have access do, depending on the need. You could use mod_suexec but I wouldn't recommend that.

I'd recommend looking at installing Suhosin to compensate for some of the PHP security flaws.

Modules I use:
eAccelerator - PHP optimization and caching, http://eaccelerator.net/
Suhosin - PHP security module, http://www.hardened-php.net/suhosin.127.html
mod_deflate - Gzip content on the fly for HTTP 1.1 clients, http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
mod_evasive - Protection from misbehaving clients and DoS attacks, http://www.zdziarski.com/projects/mod_evasive/
mod_security - Protection from script kiddies and bots, http://www.modsecurity.org/ with select rules from http://www.gotroot.com/

Applications I use:
fail2ban - Ban clients after 10 404's or auth fails, http://fail2ban.sourceforge.net/

evilghost 06-19-07 08:55 AM
Re: Managing File System w/ PHP.... what permissions should I use?
 
For additional security I recommend these php.ini changes to protect against information disclosure, RFI (remote file inclusion), and other attacks:

suhosin.executor.include.max_traversal=4
display_errors = Off
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

I also recommend setting ProductTokens to ServerOnly in your Apache configuration or using mod_security to obfuscate the server banner.

ViN86 06-19-07 09:47 AM
Re: Managing File System w/ PHP.... what permissions should I use?
 
thx ghost :D

i found that with the distro im running, httpd (the apache daemon) is run by the user "nobody" in the group "nobody"

changed permissions and set the owner as "nobody" and voila, it works. thx :D

("ps -aux" is my friend lol)


All times are GMT -5. The time now is 10:59 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©1998 - 2013, nV News.