[SLUG] Ignorance alert: permissions

[John Allsopp]

Here's the latest from the host:

"Yes, group 32407 are files uploaded via the quitemig FTP account. Group 
99 (nobody) are files created by your PHP script.

The 'groups' are not a problem in themselves - the issue is the chmod 
777 file and folder settings. The images folder was chmod 777 (it would 
normally be chmod 755).

Is one of your scripts in the quitemig account related to file uploading 
- this is a common way for a hacker to upload a script. If the upload 
dir has 777 permissions the hacker can then run the script and alter any 
files in your web space which are chmod 777."

I've now set permissions for the image directories back to 755 and 
routed the 7 key from my keyboard with a screwdriver.

I have a very nice book on PHP security which I need to study a little 
more carefully.

Having set permissions, am I OK, and if I patch the PHP file uploading 
hole, is that everything?

It was a bit of a thrill to go through the LPI stuff again and get the 
books out. The bit in part 2 about setting up web hosting and so on, 
that really got my juices flowing.

You're scared now aren't you?

Apparently there's a chap living on my road who looks like Francis 
Bacon, knows me, is a tech professional in banking and uses Linux. It's 
getting common, I'm going to start using QDOS.

J