Portal Home > Knowledgebase > Articles Database > How to change configuration for all 777 folders w/o using htaccess
How to change configuration for all 777 folders w/o using htaccess
| Posted by beautiful mind, 08-16-2011, 05:08 PM |
| Hey all,
I am looking for a way to specify the configuration for all folders with 777 permission without using .htaccess for every folder. Perhaps there's a way to do that using httpd.conf file?
To make it more clear, I want to do something like this:
Thanks
Last edited by beautiful mind; 08-16-2011 at 05:11 PM.
|
| Posted by HelpingHost, 08-17-2011, 08:41 AM |
| While I do not have a solution for you, if you are trying to increase security this way, keep in mind that the PHP scripts can be in folders that is NOT set to 777 but still write to folders that are set to 777 independently of your apache directive.
Example, the cache folders of most apps are 777 when run under mod_php while the other folders are 755. So the hacker just executes the vulnerable scripts under the 755 folder uploading his exploit into the cache folder.
|
| Posted by beautiful mind, 08-17-2011, 12:24 PM |
| Exactly, I want the user to be able to write php files in 777 folders (i.e. cache folder), but not execute them in there. I know I can accomplish that by using .htaccess files. But I want to disable all http configuration overrides in the server.
Last edited by beautiful mind; 08-17-2011 at 12:30 PM.
|
| Posted by HelpingHost, 08-17-2011, 10:21 PM |
| I see what you mean.
OK, based on that you are obviously running php under mod_php.
So how about enabling mod_security and only using this rule:
SecRule SCRIPT_GROUPNAME "!^apache$"
Since you are running under mod_php the uploaded file will be owned by the apache owner and when executed the rule would block it.
There are of course many other attack vectors they can use to execute the file uploaded (system() and exec() for example) in which no apache directive would help, only disabling these functions in the php.ini.
|
| Posted by beautiful mind, 08-17-2011, 11:15 PM |
| That's seems so helpful. So, if I understood you correctly, this rule " SecRule SCRIPT_GROUPNAME "!^nobody$" " will block all files owned by the user "nobody" from being executed, but still can be read?
Sorry but I am not so familiar with mod_sec.
Thanks HelpingHost
|
| Posted by HelpingHost, 08-17-2011, 11:23 PM |
| actually it would block all files owned by the user or group:
This would be the exact rule for mod_sec 2:
SecRule SCRIPT_USERNAME "^nobody$" log,deny
SecRule SCRIPT_GROUPNAME "^apache$" log deny
Thinking about it, it would of course be better if that is chained with ".php files only" rule.
I have to admit though that my mod_sec knowledge is not that good either.
Anybody else knows how to limit above rule(s) to .php files only?
|
| Posted by brianoz, 08-20-2011, 08:44 PM |
| The usual way to do this is with suphp and family. Not sure if suhosin will do this.
Of course, mode 777 anywhere in a website is a huge mistake and problem, and even more so on a shared server. If you're on a shared server, you should look at getting your host to implement suphp or similar. To clarify, suphp is a little ancient, but there are similar approaches that make sure that user code doesn't all run under the same user.
Another approach would be something like:
- where .htaccess777 is a file that prevents all code execution, and this script should be put in a file and run hourly (less if the website hierarchy is large). This isn't as nice as the mod_sec approach, if you can make it work, as it won't catch brand new writable directories.
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
