Results 1 to 6 of 6

Thread: file and folder permissions

  1. #1
    Join Date
    May 2011
    Beans
    159
    Distro
    Xubuntu

    file and folder permissions

    I'd like to have a directory on my web server, where I can host my random images that I can quickly upload using php script. but I have concerns about the security of this deal.

    in a "root" directory I have two folders, "uploader" and "files". "uploader" is where my php upload scrips are. Its protected with .htaccess. And "files" where it uploads images. www-data has RWX and everyone else is R-X.
    would it be possible for somebody to upload any files to "files" folder and possibly execute them? after all, apache can read write and execute. but my php scrips allows only image uploads.

    please, give me a possible scenarios of what could happen. Thank you.

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: file and folder permissions

    I wouldn't give www-data write access for that reason.

    I'm not sure how your uploader works, but you can set it to be run as a different user and give only that user rwx access?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    May 2011
    Beans
    159
    Distro
    Xubuntu

    Re: file and folder permissions

    looks like that is how most content management systems run. uploads directory is writable by www-data user.

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: file and folder permissions

    Quote Originally Posted by a2j View Post
    looks like that is how most content management systems run. uploads directory is writable by www-data user.
    Hrm, if that's the case, I would just leave it.

    *shrug*
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: file and folder permissions

    Quote Originally Posted by a2j View Post
    please, give me a possible scenarios of what could happen. Thank you.
    A poorly written upload script or file permissions could allow someone else to take over your server. Sound bad?

    You probably want to use someone else's, mildly popular, upload script if you insist on doing this with PHP over the web. Perhaps running a well used CMS like Drupal or Joomla would be a better choice? Regardless, check for updates a few times every week and install them so your box isn't owned.

    If you will be the only person uploading image files, consider using rsync over ssh to push the files from your non-internet machine - perhaps automatically every day using ssh-key authentication to your host?

    There are probably thousands of ways to accomplish what you want, but only 10 ways to do it securely.

    -- I approved this message.

  6. #6
    Join Date
    May 2011
    Beans
    159
    Distro
    Xubuntu

    Re: file and folder permissions

    not exactly what I was asking about... but I found my solution. owncloud will do what I need.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •