Menu
The standard chmod privileges are "644" for files and "755" for directories, aren't they?
In most cases, PHP doesn't need to write to files or directories. So couldn't I take the write privileges from all groups?
I could assign "444" to all files and "555" to all directories.
Wouldn't that be more secure?
Thanks in advance!
Note: chmod() is on my PHP's disable_functions list.
538
Permissions of 644 mean that the owner of the file has read and write access, while the group members and other users on the system only have read access.
Some file permission examples: 777 - all can read/write/execute (full access). 755 - owner can read/write/execute, group/others can read/execute.
The chmod 775 is an essential command that assigns read, write, and execute permission to a specific user, group, or others.
Using this table, we can see that chmod 740 means the resulting permissions are going to be rwx, then r--, then ---, or rwxr-----, meaning full permissions for the owner, read-only for the group, and nothing for the other users.
The default permissions for newly created files and directories are set by the umask environment variable. The file's owner and root can change the permissions.
If you don't need to use chmod in your app, then leave it in your disable list. They way you should look at security is: Many people smarter than me have now make chmod one of the more secure parts of my application. Therefore, I will spend my available time making the other parts secure.
Making your application read-only, on the server, is ok to do if you automate it. When you make changes to your application code, it's going to make things very difficult for you though. At some point, you will go back and forth, making some code changes and testing them on the server... and then forgot to reset your file/directory permissions back to read only.
If you only have 1 user account on your production machine, I would just stick with the default permissions- things are probably managed for you. Or you can remove group and "other" permissions, as described below.
A typical production setup, would be to have an application group that you belong to. You also want a separate user for running your php application. Keep full permissions for the owner and group, and remove all permissions from "other". This way:
I'm guessing it's someone else's job to manage your production server? They will spend time to make sure no one can login and poke around. While you do need to make sure no one can run operating system commands, I think the best place to start is to learn about xss. The default php server settings should be ok. The least secure part of the application, is the part only you have seen. If someone is going to access a system call, it most likely to be through a form. Even if you eliminate system calls, the forms are still susceptible to storing javascript. Unless you are storing credit cards in your application, the more likely target would be the password/session in your user's browser.
73
It's not more secure since PHP can always do chmod 777 even on 000-chmoded files (if they are owned by PHP). However, it's safer since you cannot write this file without chmoding them before.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
