risk of chmod 0777

In our last episode, <46**********************@news.sunrise.ch>, the lovely
and talented Bob Bedford broadcast on comp.lang.php:

Hi all,

I've a directory in wich I save pictures of items to sell. Those pictures
are uploaded by users and I've a ftp program that need to resize some of
them (too long to explain why).
Since the owner is httpd and I connect to the ftp server using an other
user, I can't modify them as they are protected (mode 0644) and I can't
change any group rights.

I can create a script (user httpd) that does change the mode to 0777 but
since I understand NOTHING about rights, it this idea a bad idea ???

Exceedingly horrible.

what do I risk ?

Essentially your server and all the data you have on it and your reputation
if your server is compromised in such a way as to produce an annoyance on
the internet.

my ftp doesn't have any guest access !

If the httpd files are 644, anyone, even ftp running as nobody (i.e. the
least privileged user) can read them. Your program using ftp can read the
files, modify them, and write them to a place where it does have write
privileges. You shouldn't be serving raw uploads anyway. The problem is:
if you can write these files via anonymous ftp, so can anyone else.

Files should be sanitized, resized, and moved by the php that handles the
POST data.

Thanks for helping.

Also joker question: what does "execute" mode mean ?

It means it is allowable for the file to be executed as a program, and if
you do not see why this is a bad idea for uploaded files, you need to get
out of the computer business. For some servers (i.e. apache), the execute
bit is used to indicate that the file should be parsed for server-side
includes when it is being served. At the very best this is a waste of the
server's time if the file is an image which naturally should not contain any
server instructions. At worst, it would allow malicious server instructions
in an image file to be executed. Don't set the execute bit on any file that
should not contain SSIs.

--
Lars Eighner <http://larseighner.com/ <http://myspace.com/larseighner>
Countdown: 567 days to go.
Friends of Lizbeth: help replace failed a/c at Austin's no-kill shelter
<https://secure.groundspring.org/dn/index.php?aid=12349>

Hi Lars, thanks for replying

>what do I risk ?

Essentially your server and all the data you have on it and your
reputation
if your server is compromised in such a way as to produce an annoyance on
the internet.

>my ftp doesn't have any guest access !

If the httpd files are 644, anyone, even ftp running as nobody (i.e. the
least privileged user) can read them. Your program using ftp can read the
files, modify them, and write them to a place where it does have write
privileges. You shouldn't be serving raw uploads anyway. The problem is:
if you can write these files via anonymous ftp, so can anyone else.

No, anonymous access to FTP is disabled. So no risk I think
Anyway 644 doesn't allow me to write on it, as with my program I'm not
httpd....so I'm stuck. As I understand, for having the right to write on
this dir I must set 664 instead of 777, this way I may read and write to the
directory. If not, I've to set to 666, keeping in mind there is no access to
anonymous, I should be ok ??? could you please confirm this ?

Files should be sanitized, resized, and moved by the php that handles the
POST data.

As it's a mutualized server, big images (more than 4mio pixels, quite common
those days) can't be resized in the PHP script due to the memory limit,
that's why I do it using a ftp connection in my own program (compiled
program).

>Also joker question: what does "execute" mode mean ?

It means it is allowable for the file to be executed as a program, and if
you do not see why this is a bad idea for uploaded files, you need to get
out of the computer business. For some servers (i.e. apache), the execute
bit is used to indicate that the file should be parsed for server-side
includes when it is being served. At the very best this is a waste of the
server's time if the file is an image which naturally should not contain
any
server instructions. At worst, it would allow malicious server
instructions
in an image file to be executed. Don't set the execute bit on any file
that
should not contain SSIs.

Execute isn't set for images dir, that's ok.

Thanks for helping.

Bob Bedford schrieb:

>Files should be sanitized, resized, and moved by the php that handles the
POST data.

As it's a mutualized server, big images (more than 4mio pixels, quite common
those days) can't be resized in the PHP script due to the memory limit,
that's why I do it using a ftp connection in my own program (compiled
program).

You might be interested in taking a look at RadUpload:
http://www.radinks.com/upload/

It is a Java applet for easy FTP file upload, the pro version can resize
images at the client side, before they are uploaded, which saves upload
capacity and reduces server-side processing.

Of course it does not solve your actual chmod problem. I use a separate
FTP user (outside the www root directory) for uploads only. This is my
procedure (I am not sure if it is optimal from a security point of view;
it works even with safe_mode, anyway):
- upload files with RadUpload (logging in as upload user)
- upload user moves them into a receiving directory (chmoded 0777) via
ftp_get()
- PHP user chmods them to 0666 (else it would not be possible to delete
or download them from the server via FTP later), does all needed
post-processing and moves them into their final destination directories

Of course it would make things much easier if it were possible to hand
over a file from one user to another, or to assign FTP and PHP to one
user id. I guess the latter is possible if you configure your server
yourself; but as I always work on shared hosting I don't know about
these things.

--
Markus