xoops forums

talunceford

Just can't stay away
Posted on: 2007/11/12 21:09
talunceford
talunceford (Show more)
Just can't stay away
Posts: 532
Since: 2002/8/14
#1

Question about securing folders...

Hello all!

I have a quick question on what the correct permissions would be for the templates_c folder, the uploads folder, and the cache folder... and for that matter any folder that you don't want the public being able to write to directly. I got an email from my hosting provider about some files that were uploaded to the uploads directory of my site that were causing some phishing attempts. Yeah, got me scared. I removed the execute right from the folder except for the user.

I guess what my question is, is what is the BEST security measures to take when applying a security policy to your site.

Thanks all!

Anonymous

Posted on: 2007/11/12 21:43
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#2

Re: Question about securing folders...

Quote:
talunceford wrote:

I guess what my question is, is what is the BEST security measures to take when applying a security policy to your site.


I guess the answer is "the tightest that still allows your site to work"

Depends on your server config, too. I'm not an expert - perhaps the techie's can advise properly?

talunceford

Just can't stay away
Posted on: 2007/11/12 21:48
talunceford
talunceford (Show more)
Just can't stay away
Posts: 532
Since: 2002/8/14
#3

Re: Question about securing folders...

Lol, isn't that the truth.

I think what should be done is make it so that when the system writes a template file or something such as that, it uses the permissions of the user, or use something that captures the users permissions of the folder. That way a folder doesn't have to be wide open to the world to work, such as the templates_c, cache, or uploads directory are right now. Because they have to be left 777 in order for the site to work properly. Why is this?

We talk about securing our site, but we are forced to leave folders open to the public so that they can upload files and execute files on the server, without any resistance.

This needs to be addressed quickly.... How... well that is another story.

jdseymour

Friend of XOOPS
Posted on: 2007/11/12 22:39
jdseymour
jdseymour (Show more)
Friend of XOOPS
Posts: 3782
Since: 2004/11/11
#4

Re: Question about securing folders...

If your server is set to allow the user that the server runs as to write to the folder that is all that is needed. If it is not set up correctly in order for it to work chmod 777 would be required.

Try a tighter permission, if you get blank pages ease the permissions up until the site runs.

For me templates_c can run at chmod 755 and cache at 766.

talunceford

Just can't stay away
Posted on: 2007/11/13 1:10
talunceford
talunceford (Show more)
Just can't stay away
Posts: 532
Since: 2002/8/14
#5

Re: Question about securing folders...

Nice... thanks jdseymour...

talunceford

Just can't stay away
Posted on: 2007/11/13 3:52
talunceford
talunceford (Show more)
Just can't stay away
Posts: 532
Since: 2002/8/14
#6

Re: Question about securing folders...

Ok, well the site doesn't run correctly unless the httpd user/group has access to those directories. How can I get it so that my user account is writing those files instead of that httpd user? That is, if there is a way....

jdseymour

Friend of XOOPS
Posted on: 2007/11/13 4:01
jdseymour
jdseymour (Show more)
Friend of XOOPS
Posts: 3782
Since: 2004/11/11
#7

Re: Question about securing folders...

It is called suexec, the server runs as the user. If it was my account it would be user:group jdseymour:jdseymour.

The server will run as the owner of the home directory.

talunceford

Just can't stay away
Posted on: 2007/11/13 4:15
talunceford
talunceford (Show more)
Just can't stay away
Posts: 532
Since: 2002/8/14
#8

Re: Question about securing folders...

I found something that might work.

I created a .htaccess file that disables public view of the folder, yet retains the same properties of the 777. It only allows access to the folder when the server needs it.

File security

If you want to prevent people from viewing or downloading any files in a particular directory you can just place a .htaccess file like this in that directory.

# prevent reading of all files
<Files *>
    
Deny From All
</Files>

For 
exampleI have a directory which holds include files containing various passwords and web-service keys that I don't want anybody to be able to see. Ideally this would be stored outside the directory tree that the web-server can serve-up, but on some configurations that is not possible. In this case the .htaccess file above prevents anyone from viewing the files whilst still allowing them to be included in PHP scripts.

You can be more selective about what you allow people to see. This .htaccess file will prevent people from seeing just the files with the .inc suffix. Anything else is accessible.

# prevent reading of .inc files
<Files *.inc>
    Deny From All
</Files>


I stuck the .htaccess files in the cache directory, and the templates_c directory. I think I will also try it on the uploads directory.

talunceford

Just can't stay away
Posted on: 2007/11/13 12:32
talunceford
talunceford (Show more)
Just can't stay away
Posts: 532
Since: 2002/8/14
#9

Re: Question about securing folders...

Not sure if this will work, but I think its more of a deterrent than anything.

jdseymour

Friend of XOOPS
Posted on: 2007/11/13 13:29
jdseymour
jdseymour (Show more)
Friend of XOOPS
Posts: 3782
Since: 2004/11/11
#10

Re: Question about securing folders...

Quote:

talunceford wrote:
Not sure if this will work, but I think its more of a deterrent than anything.


Yes, it can be a deterrent. Another thing to remember, when uploading files to the server via ftp, the files and folders are owned by the user and group of the user logged in through ftp.

After such action it may be necessary to chown "change owner" through the commandline to adjust ownership to the user the apache server runs as. Once you have the proper user and group owning the files and folders, permissions can be more restrictive and still allow writing by the server when needed.