Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Apache php upload secutity
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cybermatthieu
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jul 2004
Posts: 77
PostPosted: Mon Mar 14, 2005 7:09 am    Post subject: Apache php upload secutity Reply with quote
Hi everyone!
I'm just playing around with php's upload feature and i'm wondering if it's a good thing to have a temporary folder that can be executed by the users (777 rwxrwxrwx). What is the most secure way to have an upload folder.

Thanks,
Matthieu
Back to top
View user's profile Send private message
andyjeffries
Apprentice
Apprentice


Joined: 14 Apr 2004
Posts: 196
Location: Stevenage, Herts, UK
PostPosted: Mon Mar 14, 2005 7:58 am    Post subject: Re: Apache php upload secutity Reply with quote
cybermatthieu wrote:
Hi everyone!
i'm wondering if it's a good thing to have a temporary folder that can be executed by the users (777 rwxrwxrwx). What is the most secure way to have an upload folder.


Set upload_tmp_dir in your php.ini to be someone within Apache's control (/usr/local/apache/tmp or something). Make that folder owned by apache:root and 700 it? It means that if your webserver gets compromised (more likely someone is able to upload and execute their own PHP files) then they can overwrite anything in that folder, but as least your users can't access it.

Apache needs write access (PHP runs as user apache or nobody depending on how you've configured Apache), but nothing else does.

Cheers,


Andy
_________________
Developer of gPHPEdit
A8N-SLI/AMD X2 4800+/2GB Dual Channel/GF 7900GT OC
Back to top
View user's profile Send private message
tukachinchila
Apprentice
Apprentice


Joined: 11 Mar 2005
Posts: 274
Location: Oregon
PostPosted: Mon Mar 14, 2005 8:08 am    Post subject: Reply with quote
Having the directory set as executable is fine, but it would be a terrible idea to allow both world write and world execute on any files. Setting the directory to 755 would be better than 777. I would be very careful about using php's upload functions. If you're going to do that, run apache inside a chroot jail and use "hardenedphp" in your USE flags. I would also put the upload directory on a seperate partition and mount it noexec, nosuid, nodev and use one of the hardened kernel sources so you get extra restrictions on the chroot jail from grsecurity.
Make sure there's no sensitive data on the webserver. The web server should also be on a seperate network from any other computers. There's probably some other things I would do, but that's all I can think of right now.
Back to top
View user's profile Send private message
cybermatthieu
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jul 2004
Posts: 77
PostPosted: Mon Mar 14, 2005 8:00 pm    Post subject: Looks like good answers Reply with quote
Thanks all!

I think that will do. My tmp folder is already on a seperate partition I'm i'll put the rights 754 for apache and root users.

Thanks for the quick post!

Matthieu
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy