[SLUG] Ignorance alert: permissions
Stephen O'Neill
soneill84 at yahoo.co.uk
Tue Sep 11 12:04:58 BST 2007
We suffered the same problem as you a number of months ago - an account
on the shared host was hacked, we had world writable directories, the
rest is history. Fortunately they were sub-directories like '/js' and
'/css' so nobody ever knew.
> Why? What's being executed? A jpeg doesn't get executed?
I never figured this out either, it could be that apache does an
arbitrary check for certain permissions and forbids access otherwise.
For example I know that if permissions aren't spot on with our .htaccess
then the process just quits.
> Through FTP I'm user 32049 in group mygroup. The PHP process appears to
> be user 99 in group 99.
Is it a php process or an apache process - either way its probably
running as a web user (apache on fedora; www-data on ubuntu).
> How come I've never come across this as an issue before? I want to be
> able to upload images through PHP, so PHP would own those images and
> place them in the directory. Then maybe I want to rename the image
> through FTP: I can't because I'm not the owner, or in the group, so I
> need global permissions to write. But that lets hackers in.
Slap your host around the face then!? They ought to be in the same group
at least and distinct for your site. Our host uses the same user for ftp
as the apache so we use 701 for directories and 704 for files.
I'm not a web hoster though and I know there's a lot involved so I look
forward to long complicated explanations.
Steve O
More information about the Scarborough
mailing list