Managing File System w/ PHP.... what permissions should I use?

ViN86 · 06-19-07, 08:04 AM

im working with PHP and need to be able to create folders and store/retrieve files from the folder. my server is a linux box, running Slackware 11.0.

what permissions do i set to allow PHP to have full access to the folder, while keeping my system secure?

thx

evilghost · 06-19-07, 08:26 AM

PHP runs under the security context of the webserver. On Ubuntu it's www-data, on CentOS it's apache.

You'll need to set group/owner correctly on the files/folders you want PHP to have access do, depending on the need. You could use mod_suexec but I wouldn't recommend that.

I'd recommend looking at installing Suhosin to compensate for some of the PHP security flaws.

Modules I use:
eAccelerator - PHP optimization and caching, http://eaccelerator.net/
Suhosin - PHP security module, http://www.hardened-php.net/suhosin.127.html
mod_deflate - Gzip content on the fly for HTTP 1.1 clients, http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
mod_evasive - Protection from misbehaving clients and DoS attacks, http://www.zdziarski.com/projects/mod_evasive/
mod_security - Protection from script kiddies and bots, http://www.modsecurity.org/ with select rules from http://www.gotroot.com/

Applications I use:
fail2ban - Ban clients after 10 404's or auth fails, http://fail2ban.sourceforge.net/

evilghost · 06-19-07, 08:55 AM

For additional security I recommend these php.ini changes to protect against information disclosure, RFI (remote file inclusion), and other attacks:

suhosin.executor.include.max_traversal=4
display_errors = Off
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

I also recommend setting ProductTokens to ServerOnly in your Apache configuration or using mod_security to obfuscate the server banner.

ViN86 · 06-19-07, 09:47 AM

thx ghost

i found that with the distro im running, httpd (the apache daemon) is run by the user "nobody" in the group "nobody"

changed permissions and set the owner as "nobody" and voila, it works. thx

("ps -aux" is my friend lol)

06-19-07, 08:04 AM	#1
ViN86 Registered User Join Date: Mar 2004 Posts: 15,486	Managing File System w/ PHP.... what permissions should I use? im working with PHP and need to be able to create folders and store/retrieve files from the folder. my server is a linux box, running Slackware 11.0. what permissions do i set to allow PHP to have full access to the folder, while keeping my system secure? thx

06-19-07, 08:26 AM	#2
evilghost Registered User Join Date: Jul 2005 Posts: 3,606	Re: Managing File System w/ PHP.... what permissions should I use? PHP runs under the security context of the webserver. On Ubuntu it's www-data, on CentOS it's apache. You'll need to set group/owner correctly on the files/folders you want PHP to have access do, depending on the need. You could use mod_suexec but I wouldn't recommend that. I'd recommend looking at installing Suhosin to compensate for some of the PHP security flaws. Modules I use: eAccelerator - PHP optimization and caching, http://eaccelerator.net/ Suhosin - PHP security module, http://www.hardened-php.net/suhosin.127.html mod_deflate - Gzip content on the fly for HTTP 1.1 clients, http://httpd.apache.org/docs/2.2/mod/mod_deflate.html mod_evasive - Protection from misbehaving clients and DoS attacks, http://www.zdziarski.com/projects/mod_evasive/ mod_security - Protection from script kiddies and bots, http://www.modsecurity.org/ with select rules from http://www.gotroot.com/ Applications I use: fail2ban - Ban clients after 10 404's or auth fails, http://fail2ban.sourceforge.net/

06-19-07, 08:55 AM	#3
evilghost Registered User Join Date: Jul 2005 Posts: 3,606	Re: Managing File System w/ PHP.... what permissions should I use? For additional security I recommend these php.ini changes to protect against information disclosure, RFI (remote file inclusion), and other attacks: suhosin.executor.include.max_traversal=4 display_errors = Off allow_url_include = Off allow_url_fopen = Off session.use_only_cookies = 1 session.cookie_httponly = 1 expose_php = Off display_errors = Off register_globals = Off disable_functions = phpinfo I also recommend setting ProductTokens to ServerOnly in your Apache configuration or using mod_security to obfuscate the server banner.

06-19-07, 09:47 AM	#4
ViN86 Registered User Join Date: Mar 2004 Posts: 15,486	Re: Managing File System w/ PHP.... what permissions should I use? thx ghost i found that with the distro im running, httpd (the apache daemon) is run by the user "nobody" in the group "nobody" changed permissions and set the owner as "nobody" and voila, it works. thx ("ps -aux" is my friend lol)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Max Payne 3 system requirements updated, new PC screenshots released	News	Latest Tech And Game Headlines	0	05-28-12 06:49 AM
RPM Source problems	LaoTzuTao	NVIDIA Linux	10	01-19-03 05:15 AM
Can't install NVIDIA_kernel.XXXX.XXXX.src or regular rpm	noeffort	NVIDIA Linux	15	12-17-02 01:22 PM
Strange RedHat 7.3 issues with A7N266-C	nforceuser	NVIDIA Linux	8	09-27-02 03:16 PM