10 replies to this topic

[Felix Scheiffers]

Because my customer has been hacked in directory temp, I try to follow up the rules of Spooks.

So far I understood to prevent 777 as follows (in the admin you are a user just like a visitor in your shop, but using FTP you are the owner so 755 is enough for writing to directories as an owner):

- don't use cache (otherwise you need 777 for the cache dir)
- don't write sessions to a dir (otherwise you need 777)
- replace images upload fields in categories and manufacturers with normal input fields for the names of pictures only, upload them with FTP (and faster too)
- don't use the backup in admin (otherwise you need 777 for the backup dir), use the export function in your phpmyadmin for backing up of the mysql database
- avoid using temp or tmp or a directory for temporary objects
- use always FTP to place objects in a directory if needed (e.g. banners, backups etc.)

Right ? (I could not change the header because it is "did I understand this right"   )

Edited by Felix Scheiffers, 23 November 2009 - 04:36 AM.

[web-project]

Normally on the server 755 the permission to execute the script at the same time this permission allow for web server to work with files and in most cases working as 777 but the folders are secured as no one from outside can't upload images or script to hack your oscommerce.

[Felix Scheiffers]

Felix Scheiffers, on 23 November 2009 - 04:29 AM, said:

Because my customer has been hacked in directory temp, I try to follow up the rules of Spooks.

So far I understood to prevent 777 as follows (in the admin you are a user just like a visitor in your shop, but using FTP you are the owner so 755 is enough for writing to directories as an owner):

- don't use cache (otherwise you need 777 for the cache dir)
- don't write sessions to a dir (otherwise you need 777)
- replace images upload fields in categories and manufacturers with normal input fields for the names of pictures only, upload them with FTP (and faster too)
- don't use the backup in admin (otherwise you need 777 for the backup dir), use the export function in your phpmyadmin for backing up of the mysql database
- avoid using temp or tmp or a directory for temporary objects
- use always FTP to place objects in a directory if needed (e.g. banners, backups etc.)

Right ? (I could not change the header because it is "did I understand this right"   )

I have read so many topics about this, but the most answers are too confusing for me (I think not only for me but the most are giving up I think in the discussion because of the short unclear answers) e.g. it would be easy to put pressure on your host, forget it ... or simply move to another host ...

So I think my question is very clear about this topic and hopefully answered clear, so this topic can be usefull for all of us.  

So I ask here a clear answer where everybody could work with it (su .. etc. are not solutions for an average webshop owner). I think when you prevent simply by changing your programs to use 777, is the most simple sulotion on every host (for now)!

So I am very curious about comments concerning this ... please no short unclear answers (short and clear is ok   ) otherwise this will be again a topic about this subject where you don't find clear answers ...

[Felix Scheiffers]

web-project, on 23 November 2009 - 04:33 PM, said:

Normally on the server 755 the permission to execute the script at the same time this permission allow for web server to work with files and in most cases working as 777 but the folders are secured as no one from outside can't upload images or script to hack your oscommerce.

Thanks Alex, but with 755 you can't upload images to your folder in admin because fopen() (php) has not enough autorisation in that case.
So my answer would be in that case, upload your images with FTP and fill in only names in your programs like categories.php and manufacturers.php and don't start an endless communication with your host with many clients (you loose) if you want to solve this quick and safe for yourself.

[Jack_mcs]

You're trying to fix something that is broken on the server. The settings on the server determine the permissions to use. They are, in your case it seems, set to allow using 777. While your changes may work, what if you miss one? Doing it your way puts more responsibility on you and adds another job for you as a shop owner. If your host only allowed 755 in the first place, it would free yourself up for running the shop. Asking your host to change that is, in my experience, useless, since most will not do so. The only alternative is to change hosts and, in this case, it would be the only right decision.

[FWR Media]

Yes if you are with a bucket host (loads on the same server) you have little option but to take the slow root of php as a cgi and suphp/phpsuexec you will need maximum permissions to be 0755.

If you have your own server or a VPS happily you can dump all this and run php as a module, far far faster.

[Felix Scheiffers]

Jack_mcs, on 23 November 2009 - 05:49 PM, said:

You're trying to fix something that is broken on the server. The settings on the server determine the permissions to use. They are, in your case it seems, set to allow using 777. While your changes may work, what if you miss one? Doing it your way puts more responsibility on you and adds another job for you as a shop owner. If your host only allowed 755 in the first place, it would free yourself up for running the shop. Asking your host to change that is, in my experience, useless, since most will not do so. The only alternative is to change hosts and, in this case, it would be the only right decision.

Hi Jack of the many very usefull contributions (thanks), so you think the best solution is to ask your host to install the su.. programs on their server (but not easy I read, the settings, so the average hoster have not the knowledge I guess) so 755 would work work as 777 but somebody from outside could not get into your folders, only a program running on your server would see 755 as 777, and because your folders are protected with 755, a hacker could not place direct programs in it also to run it with 777 authorisations in that program. Right ? But my clients were moved already to another better provider (not bad) so if he/she is not willing to, I have to do my changes (but creating thumbnails in your programs give the same problem, it needs also a 777 directory in my case).

I go to ask my provider and will tell what happen in this forum ...

[Jack_mcs]

Felix Scheiffers, on 23 November 2009 - 06:16 PM, said:

your server would see 755 as 777, and because your folders are protected with 755, a hacker could not place direct programs in it also to run it with 777 authorisations in that program. Right ?

No, it depends on how the hacker has gained access. There is a vulnerability due to the filemanager script in admin that allows the hackers to edit all existing files and to place new files on the server, even if the permissions are 755. But under normal conditions, a hacker won't be able to make the changes he could if the permissions are 755 instead of 777.

[Mort-lemur]

Hi,

Just to add a bit from my recent discussions with my host on this, his response was:

Quote

WE do not currently use PHPSuExec and as such you will have to change the permissions to 777.

To say that this means PHP is installed the wrong way would suggest that over 50% of servers on the Internet have PHP installed incorrectly.

so much for their help......

[web-project]

Quote

Thanks Alex, but with 755 you can't upload images to your folder in admin because fopen() (php) has not enough autorisation in that case.

with suphp/phpsuexec (very strict and secure as PHP run using user instead of nobody or server) working on few of my servers with permission 0755, never had the fopen() problem.

Edited by web-project, 23 November 2009 - 10:22 PM.

[Felix Scheiffers]

Good news (for me).

My provider (a good one) had already a new server with suphp/phpsuexec implemented.

On my request the most urgent webstore was moved to that server, and indeed directories have all a maximum of 755 and programs are running now under the owner (so objects e.g. images can be added to directories with 755).

So visitors of your webstore or yourself logged into admin have all the same rights (maximum 755, in fact the 5 is applicable for you) but the programs are running under the owner (the first 7) and has all rights to do all inside the program.

Before a program was running under the rights of a visitor (in xxx the second and third position e.g. in 777 the second or third position), so a 7 was needed to add an image to a directory from a program.    

Thanks to everybody who helped me in the forums (not always direct) to understand and hopefully it has explained now clearly to others, otherwise ask a question ..