[SLUG] Ignorance alert: permissions

Paul Teasdale pdt at ryetek.co.uk
Tue Sep 11 13:44:13 BST 2007 

>> One thing that interests me more here is how a file has been hacked in the
>> first place. OK, poor file permissions may not have helped but how as
>> access
>> been gained in the first place? Reviewing your file permissions is good
>> but
>> it's not stopping the root of the problem.
>
> Here's what the host says (and I like my hosts):
>
> "I have checked the page in question and your evaluations are correct -
> the file was altered due to the 'chmod 777 world read / world write'
> permissions on the file / images folder.
>
> Files can be altered through unsecure PHP scripts if the files / folders
> are chmod 777.
>
> If you are able to change the permissions on your files / folders you
> can prevent this from reocrurring.
>
> The password for the account will not have been compromised - the hacker
> will have used your PHP script to alter the file.
>
> If your script will not function with less than chmod 777 permissions,
> we can make certain files 'immutable' if needed (chattr +i)."
>
>
> I asked if they can tell which script was used. I've taken this over and
> I'm wondering if I've introduced a hole or whether it was pre-existing.
>
What they are telling you can be very true so you should check your PHP
scripts. So basically the root of the problem may be a bad PHP script. Weak
permissions did not help but it's not the underlying problem. However I do
agree that good file permissions are also important.

If you have PHP scripts that contain passwords (for example to access a
database) ensure that they end with .php. I've seen some script examples
that end with .inc and in some cases these are not processed in any special
way by the web server and hence just get dumped into the browser, passwords
and all if someone knows they are there.

Like my shared hosting provider I bet they allow you to login with unsecure
FTP. If so then someone may have "sniffed" out your clear text login details
and are simply using FTP to hack your files. OK, probably unlikely but
possible. I think it's unlikely because if they have your FTP details so
much more damage could be done! However I am trying to make a point here.

The mismatch between the web server process user id's and the FTP process id
can be annoying. What I've done here in the past is use the PHP FTP library
to manipulate files. That way all the files uploaded, directories created
and so on get the FTP user id. It's probably very inefficient to do this but
I needed as solution and that worked. My host has never complained yet.

Regards,
Paul.

More information about the Scarborough mailing list