[SLUG] Ignorance alert: permissions
John Allsopp
john at johnallsopp.co.uk
Tue Sep 11 11:00:23 BST 2007
Hi
OK, so I haven't grasped the basics in all these years.
I'm having an issue with the appearance of an index.php file in my
images directory which advertises itself as being HaCKeD By Alemin_Krali
And yes, I left permissions on for all and sundry. I don't know enough
about security, obviously. I never claimed I did.
So now I'm getting to grips with permissions to try to work out how to
cut them down to stop that happening again.
Questions:
I've created a test directory with permissions 311 (read, write for me,
read for others), and copied an image file into that directory with the
same permissions, and I'm denied access to that image through a browser.
The cure is to enable execution permission for all in the directory.
Why? What's being executed? A jpeg doesn't get executed?
Through FTP I'm user 32049 in group mygroup. The PHP process appears to
be user 99 in group 99.
How come I've never come across this as an issue before? I want to be
able to upload images through PHP, so PHP would own those images and
place them in the directory. Then maybe I want to rename the image
through FTP: I can't because I'm not the owner, or in the group, so I
need global permissions to write. But that lets hackers in.
What's the norm here?
Cheers
J
More information about the Scarborough
mailing list