Hello Community,
I'm not sure about the necessary file permissions on webservers that run PHP as (F)CGI. Isn't it enough to set the required permissions for the file owner only, and to give no permissions at all for the group and everybody, i.e. 0700, 0400 etc.? I just did so on a test installation, and everything seems to work fine. This would greatly improve security regarding the readability of files containing sensitive data.
Christoph
Permissions for (F)CGI Servers
Permissions for (F)CGI Servers
Christoph M. Becker – Plugins for CMSimple_XH
Re: Permissions for (F)CGI Servers
Hi Christoph,
in general, a modern FCGI installation with a clean configured mod_suEXEC is IMHO and from my simple knowledge today the fastest and most secure way on shared hosts.
The default permissions (AFAIK 0755 and 0644) should be fine regarding the fact that other processes on the host are complete separated. Beside this, you'll never have problems with ownership of files created from a PHP script.
About the necessary permissions, I can confirm that regarding CMSimple 0700 ... seems to be fine and that you can protect sensitive data this way from the group / world.
I'm not sure if this will work in every case with other systems too. In special when it comes to other cgi's (pearl? etc.). I've noticed somewhere problems with pearl and 0777 perms, while 0755 was working fine with that skript / host. Maybe that was regarding some other additional security layer on the host.
But IMO the compatible and recommended way to protect sensitive data is .htaccess, if you cannot store the files outside the webroot (which is impossible on all shared hosts I know about).
Anyway, since php is able to CHMOD files and folders it's at least always a good idea to implement some additional security (hashing e.g.) of the data.
And I don't know if you've noticed that you can have on FCGI in most cases an own php.ini in your installation (but remember: in opposite to .htacces, you must copy that php.ini in every subfolder too!). If you're really paranoid, you can disable php's chmod command in your php.ini....
And remember: I'm not an expert! The above written things are just my personal experiences and the knowledge of a server noob!
KR
Holger
in general, a modern FCGI installation with a clean configured mod_suEXEC is IMHO and from my simple knowledge today the fastest and most secure way on shared hosts.
The default permissions (AFAIK 0755 and 0644) should be fine regarding the fact that other processes on the host are complete separated. Beside this, you'll never have problems with ownership of files created from a PHP script.
About the necessary permissions, I can confirm that regarding CMSimple 0700 ... seems to be fine and that you can protect sensitive data this way from the group / world.
I'm not sure if this will work in every case with other systems too. In special when it comes to other cgi's (pearl? etc.). I've noticed somewhere problems with pearl and 0777 perms, while 0755 was working fine with that skript / host. Maybe that was regarding some other additional security layer on the host.
But IMO the compatible and recommended way to protect sensitive data is .htaccess, if you cannot store the files outside the webroot (which is impossible on all shared hosts I know about).
Anyway, since php is able to CHMOD files and folders it's at least always a good idea to implement some additional security (hashing e.g.) of the data.
And I don't know if you've noticed that you can have on FCGI in most cases an own php.ini in your installation (but remember: in opposite to .htacces, you must copy that php.ini in every subfolder too!). If you're really paranoid, you can disable php's chmod command in your php.ini....
And remember: I'm not an expert! The above written things are just my personal experiences and the knowledge of a server noob!
KR
Holger
Re: Permissions for (F)CGI Servers
Hi Holger,
thanks for the reply!
Very interesting are the problems you've mentioned with regard to Perl scripts--I haven't thought about other languages at all.
BTW: on my webspace (FCGI) I have FTP access to the parent folder of the webroot, so I could store files outside the webroot. But well, my hoster is rather expensive: 1€ per month
Christoph
thanks for the reply!
Very interesting are the problems you've mentioned with regard to Perl scripts--I haven't thought about other languages at all.
AFAIK FCGI uses sockets for communication with the server. I can imagine, that mod_php uses an even faster method. But even if, this shouldn't make much difference in typical cases, and definitely won't outweight the increased security on a shared host. AFAIK the only thing that could prevent neighbors to access your files under mod_php is an appropriate setting of open_basedir, as all domains are executed from the same user.Holger wrote:in general, a modern FCGI installation with a clean configured mod_suEXEC is IMHO and from my simple knowledge today the fastest and most secure way on shared hosts.
.htaccess can secure the files from HTTP access. But what about neighbors (i.e. other domains on the same server)? AFAIK if there is no other protection in place, they might access files in your domain via "normal" file access (e.g. fopen('/...')). Of course these scripts are executed from a different user, but when a file is readable for the world, this wouldn't matter. So this was the reason why I'm interested in setting no permissions for group/world at all (not particularly for my domain, but for the explanation in the XH wiki in general).Holger wrote:But IMO the compatible and recommended way to protect sensitive data is .htaccess, if you cannot store the files outside the webroot (which is impossible on all shared hosts I know about).
BTW: on my webspace (FCGI) I have FTP access to the parent folder of the webroot, so I could store files outside the webroot. But well, my hoster is rather expensive: 1€ per month
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Permissions for (F)CGI Servers
Well, actually not.cmb wrote:I just did so on a test installation, and everything seems to work fine.
At least all files that might be requested directly by the browser (stylesheets, images, js etc.) have to be readable for the "world", and the folders they're contained in, need to be executable too.Christoph M. Becker – Plugins for CMSimple_XH