Blog Documentation Try Vanilla Cloud
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Proper file management on your server

x00x00 MVP
edited July 2013 in Tutorials

@aery asked this question and it is coming up a lot.

There have been some mishaps that could have been avoided.

This is meant as general advice for linux based servers, but it is not a substitute for properly understanding your setup, and acting accordingly. You might be running additional infrastructure which need to be in a group, etc, this doesn't cover that.

You probably will a have to adapt to your needs. It is better to understand, than apply blindly, seek to understand each step by looking it up, then you can adapt it.

First of all if at all possible assign most files and folders to a name an group which is different from the web-user,. If you are on a shared host, often you aren't able to do that :/

Ideally you have ssh access assuming your user and group is aery you can find this out by

$ who
aery     tty8         2013-07-24 07:41 (:0)
$ groups aery
aery : aery adm cdrom sudo dip plugdev lpadmin sambashare

so in your case use the obvious ones like aery, the one that you have logged on to ssh with

to get the web user and group make sure the server is running then

$ ps aux | grep -i apache
www-data      3864  0.0  0.0   4388   848 pts/3    R+   08:13   0:00 grep --colour=auto -i apache
$ groups www-data
www-data : www-data

for nginx just change ps aux | grep -i apache to ps aux | grep -i nginx

now apply permissions

$ cd /path/to/web/folder
/path/toweb/folder $ sudo chown -R aery:aery .
/path/toweb/folder $ sudo find . -type d -exec chmod 755 {} \;
/path/toweb/folder $ sudo find . -type f -exec chmod 644 {} \;

that assigns the user and group to all the file/folders in the folder, set all folders to 0755 an all files to 0644

now to assign the web user to the writeable directories, an open up write permission.

/path/toweb/folder $ sudo chown -R www-data:www-data ./uploads
/path/toweb/folder $ sudo chown -R www-data:www-data ./cache 
/path/toweb/folder $ sudo chown www-data:www-data ./conf
/path/toweb/folder $ sudo chmod -R 0775 ./uploads
/path/toweb/folder $ sudo chmod -R 0775 ./cache
/path/toweb/folder $ sudo chmod 0775 ./conf
/path/toweb/folder $ sudo chmod 0775 ./conf/config.php

Note I'm only giving conf the owner not recursively setting the owner in conf, and only assigning write permission to the folder and conf.php as that is the only file that needs write permissions there. that is assuming that config.php already exists. If so it should be written.

DO NOT give write permissions to any other files an folder until you know this is needed.

Most of you on cheap shared webhost without shell access, I'm afraid your options are limited due to a lazy culture in this industry. You probably only got one user, and no power or interface to set permissions appropriately, and no way to switch user.

In that case you only real option is to assign the permission as you can, which is probably 755, and and the dreaded 777 (which should really never be used). You could make a home based script that recursively browses the directories via ftp so you can set the files an directories separately.

You could also nag you web host, and tell them how rubbish they are for implementing such a half baked solution.

You need to know the difference between server rules and file permissions. Ultimately it is your server that determines what people have access to over the web. File permission determines what you server and script and other users can do with those files, both help stop malicious actions if done appropriately.

Now you are still going to have to hide some file in your server rules such as .htaccess Which you wouldn't want to have direct public access to, think logically what really need direct access an deny to the outside world anything that should bee seen. This is a whole other areas which I’m not covering here).

Vanilla does put a line which stop script from being directly accessed, so you don't have to go as far as to deny direct access to all php files except index.php.

Do no allow people to browse your physical web folders, the cheat method to put an index.html in each directory that doesn't have one, but better to set up you server accordingly and you won't be sorry.

As a webmaster you have a responsibility to learn these thing, so I recommend getting some book on being a webmaster, or basic server management, if you feel you don't know.

A lot of web host are very sale oriented so they don't really care about competence or good practice.

grep is your friend.

Tagged:

Comments

  • Options
    x00x00 MVP

    A good server setup should be like a west country farmer waving a shotgun, telling folk 'Get off my land!' Or West Virginia hospitality.

    if in doubt deny, you could always change it later.

    grep is your friend.

Sign In or Register to comment.