Jump to content

Archived

This topic is now archived and is closed to further replies.

bugsy2334

Images Directory chmod 755 777

Recommended Posts

I currently have my images directory, as well as a couple other directories set to chmod 777. I do not feel comfortable with this security level. I'd really like to set the permissions to a maximum of 755.

 

The problem is that whenever I do this, I get an error saying "Error: Catalog images directory is not writeable: /usr/local/apache2/htdocs/images/".

 

I know this has something to do with the user that php is using, but I don't know how to correct it.

 

I searched the forums, and found some posts relating to this issue, but none of them said exactly how to resolve the issue.

 

I appreciate the help.

Share this post


Link to post
Share on other sites

I had the same problem.

 

I was told by a very astute and reliable member here it's because they don't have the server set up properly.

 

What I did was install a contribution called "osC Filebrowser".

 

How that works is you upload images via FTP or your Web hosts Cpanel.

 

Then when you add/change categories in your admin, a window pops up and let's you pick images from the images folder.

 

That was my "work around".

:blush:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Thanks for the reply. However, I would much rather just set the server up properly. It's not just the images folder that I'm having this issue with, it's any folder that requires data to be written to it.

 

Thanks.

Share this post


Link to post
Share on other sites

Here's what I was told (for what it's worth):

 

Your server is running PHP as a module as opposed to as a CGI with phpSuExec.

 

Your set up requires permissions of 777 whereas the CGI/phpSuExec set up doesn't allow 777 at all but has a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). In short to have working 755 folders you would need the host to change the set up.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Alright, i think i figured it out.

 

I had to change the user and group ownership so that it matched the user/group that php or the apache server was running as. I used chown to change ownership of the folders that I needed to be able to write to using php.

 

Thanks.

Share this post


Link to post
Share on other sites

for those people who are having issues / concerns here. The biggest issue here is that people can upload scripts which then can be used to insert code into other folders/files. Here is a simple fix (not as good as the 755 method) that will stop applications from RUNNING in the folder (there should not be scripts in the image folder anyways.

 

# stop scripts from running from the folder
IndexIgnore *
Options All -Indexes
# Secure directory by disabling script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI
# Don't show this file, that would be bad as well!
<Files .htaccess>
order allow,deny
deny from all
</Files>

 

Step 1 is to create a new htaccess file.

Step 2 upload this file into the images folder and cache (if you use the SEO urls)

 

This is not my work ( linked from here : http://forum.joomla.org/viewtopic.php?f=267&t=288032 ) but might be more help for those having this as an issue.

 

cheers,

Peter


Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Share this post


Link to post
Share on other sites
Alright, i think i figured it out.

 

I had to change the user and group ownership so that it matched the user/group that php or the apache server was running as. I used chown to change ownership of the folders that I needed to be able to write to using php.

 

Thanks.

 

bugsy,

 

I am having the same problem with my folder permissions being 777.

 

Can you elaborate a little more on how you used CHOWN to resolve your situation?

 

Did you CHOWN nobody:nobody /images or something to that extent?

 

I know that my PHP is running as user "nobody"

 

Can anyone see any problems with setting these folders` permissions like this?

 

Will anyone still be able to upload phishing files and the like to these folders?

Share this post


Link to post
Share on other sites

Running with a web accessible folder at 777 permissions is "bad".

 

The .htaccess file in this post is a "band-aid".

 

If it works "as advertised" it stops scripts from RUNNING.

 

So... Hackers could still upload hacking scripts, but if they can't RUN them they don't hurt anything (other than take up space).

 

You'd just periodically have to clean them out (if you think that is even necessary).


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Yeah, I think I am going to use a combination of both methods for the time being, until I find a better solution.

 

For those who are new to this thread, "both methods" are the .htaccess file above, and the method I proposed on page 3 of this thread.

 

That way, hackers only have very small windows where they can upload scripts into my folders, and they can't run them anyway.

Share this post


Link to post
Share on other sites

for those people who are having issues / concerns here. The biggest issue here is that people can upload scripts which then can be used to insert code into other folders/files. Here is a simple fix (not as good as the 755 method) that will stop applications from RUNNING in the folder (there should not be scripts in the image folder anyways.

# stop scripts from running from the folder
IndexIgnore *
Options All -Indexes
# Secure directory by disabling script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI
# Don't show this file, that would be bad as well!
<Files .htaccess>
order allow,deny
deny from all
</Files>

 

Step 1 is to create a new htaccess file.

Step 2 upload this file into the images folder and cache (if you use the SEO urls)

 

This is not my work ( linked from here : http://forum.joomla.org/viewtopic.php?f=267&t=288032 ) but might be more help for those having this as an issue.

 

cheers,

Peter

 

Hi

 

So I copy and pasts the code above into a BLANK .htaccess document and upload into the images directory??????

 

Gareth

Share this post


Link to post
Share on other sites

I wouldn't touch php as a CGI or suPHP with a large stick. In my opinion it is extremely slow, unnecessary and to the individual account holder can actually cause more hack problems than it solves. For those with a dedicated server or VPS I would always recommend PHP as an apache module ( DSO ).

 

PHP as a CGI and suPHP are a benefit however to the owners of servers that are offering bucket hosting .

Share this post


Link to post
Share on other sites

The basic problem here is that the server is configured such that PHP runs under a user ID that is either in the same "group" as the owner, or is something else entirely (is in "other/world"). For osC (running PHP) to write to a directory, you must grant write permission (7 instead of 5): 775 or 777 as the case may be. 775 isn't too bad of a security risk, but 777 is awful on a shared server. You can temporarily change a directory to 777, do your upload, and then change it back to 755, but that can get real old real fast if you upload frequently. See my sig > FAQs > Proper Permissions.

 

Perhaps someone can look into an add-on that lets you upload images or whatever via FTP, and then run the rest of the "upload" script (minus the actual uploading) to load the database.

Share this post


Link to post
Share on other sites

What I did was install a contribution called "osC Filebrowser".

 

How that works is you upload images via FTP or your Web hosts Cpanel.

 

Then when you add/change categories in your admin, a window pops up and let's you pick images from the images folder.

 

Thanks for this suggestion. oscFileBrowser will work for me too.

 

I've spent the last couple of days trying to install suPHP, only to kill my server, reprovision, and restore backups :) I decided that not being a linux guru I'd just go this route and it works great.


--------------------------------

Justin

 

osC is awesome. Thanks everyone.

Share this post


Link to post
Share on other sites

Thanks for this suggestion. oscFileBrowser will work for me too.

 

I've spent the last couple of days trying to install suPHP, only to kill my server, reprovision, and restore backups smile.gif I decided that not being a linux guru I'd just go this route and it works great.

 

Hi Justin!

I have the same problem, and I have been a couple of days already trying everything and nothing seems to work....

I downloaded the oscFileBrowser, but now I do not know how to install it, Could you please help me with this? Do I need to change something in the OSC configuration?

 

Thank you

Share this post


Link to post
Share on other sites

Use your hosting service's control panel > File Manager to change permissions. Most servers these days are set up to ignore chmod requests by FTP clients. If you're on a Windows server, there is no "chmod" command under that name, but you can turn "Read Only" on and off for various groups (you want Read Write for yourself and possibly PHP, while everyone else sees Read Only).

Share this post


Link to post
Share on other sites

×