Securing a directory with 777 or 775 permissions

Posted by Stanislav Furman  on July 6, 2014

If in your project you have a publicly accessible directory that has full permissions (777), then it may cause serious security issues. An attacker may put an executable script or binary on your host and then run it remotely. This is a major security whole and it may lead to major problems if someone decides to attack your website.

However, sometimes on some shared webhosting servers you need have a folder that has risky 777 permissions (or, if possible, 775 which is a little bit better). As an example you can consider a folder where website users can upload their photos or images. In this case it opens a security whole for potential attackers. But, there are a few techniques that can help you to keep your website safe.

First of all, 777 permissions -  is bad! Period! If you have control other your web server (e.g. you're using a VPS or dedicated server), then you need to create a group containing both Apache and FTP users as group members. Then set 775 permissions on the upload folder. This will give Apache and FTP users the ability to write their files in the folder.

The next step is setting the folder to allow only images to be accessed. This trick can work even on virtual shared web hosting andit uses .htaccess file. Simply put an .htaccess file to the upload folder and write the following code:


Order Allow,Deny 
Deny from all 
<Files "\.(jpg|jpeg|png|gif)$">
   order deny,allow
   allow from all
</Files>

Of course, you can use this technique for other types of files like *.pdf, *.txt, *.css, *.js, etc.

Keep your website safe! ;)

Comments

Israel Bravo says:
July 15, 2014 at 01:33 am
Never give to directory permissions of 777 !
"A good example is a folder where website user can upload their photos or images." - why not to set this directory owner to web server username? It will let the server to write to this directory but will prevent other users from entering here.
For example:
chown apache:apache upload
chmod ug+rwx upload
chmod o-rwx upload

Flag as SPAM  |  Permalink
Stanislav Furman says:
July 15, 2014 at 10:18 am
Hi Israel,

I totally agree with you.
I figured that the article needed some more details and have updated it. ;)
Flag as SPAM  |  Permalink
Vasili says:
July 17, 2014 at 03:00 pm
Attackers can use the same apache group as well using holes of the web application, and secondly .htaccess does not check file type so attacker can upload an image.jpg with the php code inside.
Flag as SPAM  |  Permalink
Stanislav Furman says:
July 18, 2014 at 11:32 am
Vasili,
If Apache/PHP is set up properly, then image.jpg won't be parsed and executed as PHP file.

However, you are right, that publicly accessible folders can be used as a security hole. That's why only safe content should allowed in such folders.
Flag as SPAM  |  Permalink

Leave your comment

Fields with * are required.

* When you submit a comment, you agree with Terms and Conditions of Use.