What is the best chmod for a fopen/fwrite?

Re: What is the best chmod for a fopen/fwrite?

FFMG wrote:
Just a note about this.
I found out a few years ago that you also should strip header
information out of GIF images. You can put PHP code in there, and it
executed when the gif is displayed.

Freaky.

Re: What is the best chmod for a fopen/fwrite?

On 25.07.2007 07:47 FFMG wrote:A file must be readable by the webserver, so if php runs as web server
user, the minimal chmod would be 400. However, if you want to access it
in other ways, e.g. per FTP under your own credentials, you have to
grant it 444 or even 666 (== read-write by everyone - this does not mean
"by everyone on the web" though)

Code execution has in general nothing to do with permissions. Webserver
will only execute a file if explicitly instructed to execute files with
given extension. So, if the file extension is ".php" it will be
executed, if the extension is ".gif" it won't, even if it contains
chunks of php code.

That is, the protection from "remote execution" attacks of this kind is
quite simple: if you offer file uploads, always make sure file extension
matches its content and only allow extensions from your whitelist.


--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi

Re: What is the best chmod for a fopen/fwrite?


Sanders Kaufman;83072 Wrote:More the reason why I should prevent the 'image' from executing.

So what attributes should I set then?

FFMG


--

'webmaster forum' (http://www.httppoint.com) | 'webmaster Directory'
(http://www.webhostshunter.com/) | 'Recreation Vehicle insurance'
(http://www.insurance-owl.com/other/car_rec.php)
'Free URL redirection service' (http://urlkick.com/)
------------------------------------------------------------------------
FFMG's Profile: http://www.httppoint.com/member.php?userid=580
View this thread: http://www.httppoint.com/showthread.php?t=18736

Message Posted via the webmaster forum http://www.httppoint.com, (Ad revenue sharing).

Re: What is the best chmod for a fopen/fwrite?

..oO(FFMG)
Whether the webserver will "execute" a file primarily depends on the
file extension. A file myImage.gif.php doesn't even have to have any
execution bits set - if the server can read it, PHP can load and
interpret it.
Nothing special. The file just has to be readable for the webserver.

Just keep an eye on the file extension, especially if you allow users to
directly access their uploaded files:



Or use a script to deliver the files to the user, so the webserver won't
even try to handle the file it on its own.

Micha

Re: What is the best chmod for a fopen/fwrite?

On 25 Jul, 07:27, Sanders Kaufman <bu...@kaufman. netwrote:What is your security model?

I'd usually go with drwxrSxr-x for upload dirs (with a group including
webserver uid and web developer uids) and -rw-rw-r-- for files. But a
group excluding web server uid for non-uploaded content.
This only applies if the PHP parsing engine is invoked on the file.
This is usually determined by the file extension:
But its probably better practice to convert to a different img format
and back again using GD to be on the safe side.

C.

Re: What is the best chmod for a fopen/fwrite?

On Wed, 25 Jul 2007 08:27:55 +0200, Sanders Kaufman <bucky@kaufman. net>
wrote:Only on lousy webserver setups.
--
Rik Wasmus

Re: What is the best chmod for a fopen/fwrite?

gosha bine wrote:
Unless CGI is available on the server, in which case the execute bit is
rather important.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 36 days, 17:43.]

Cryptography Challenge

Re: What is the best chmod for a fopen/fwrite?

On 27.07.2007 16:05 Toby A Inkster wrote:Agreed, good point. ;)

--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi