LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices



Reply
 
Search this Thread
Old 10-05-2004, 03:36 PM   #1
DeathGoth
LQ Newbie
 
Registered: Jan 2004
Location: Pigh, Pa in the U.S.A.
Distribution: Redhat 9
Posts: 17

Rep: Reputation: 0
File Permissions, CHMOD problems, image included.


Hello, I am or have set up a server on a linux box running redhat 9. I have wondering why on FTP/within Linux when I set chmod to 777 it dont read as that.. such as this folder here

http://deathgoth.sytes.net:9000/files/images/chmod.jpg

As you see the CHMOD is set in ftp and in linux as 777 but its only says in this script its set at 644

script here

PHP Code:
<?php
$perms 
fileperms('/etc/passwd');

if ((
$perms 0xC000) == 0xC000) {
   
// Socket
   
$info 's';
} elseif ((
$perms 0xA000) == 0xA000) {
   
// Symbolic Link
   
$info 'l';
} elseif ((
$perms 0x8000) == 0x8000) {
   
// Regular
   
$info '-';
} elseif ((
$perms 0x6000) == 0x6000) {
   
// Block special
   
$info 'b';
} elseif ((
$perms 0x4000) == 0x4000) {
   
// Directory
   
$info 'd';
} elseif ((
$perms 0x2000) == 0x2000) {
   
// Character special
   
$info 'c';
} elseif ((
$perms 0x1000) == 0x1000) {
   
// FIFO pipe
   
$info 'p';
} else {
   
// Unknown
   
$info 'u';
}

// Owner
$info .= (($perms 0x0100) ? 'r' '-');
$info .= (($perms 0x0080) ? 'w' '-');
$info .= (($perms 0x0040) ?
           ((
$perms 0x0800) ? 's' 'x' ) :
           ((
$perms 0x0800) ? 'S' '-'));

// Group
$info .= (($perms 0x0020) ? 'r' '-');
$info .= (($perms 0x0010) ? 'w' '-');
$info .= (($perms 0x0008) ?
           ((
$perms 0x0400) ? 's' 'x' ) :
           ((
$perms 0x0400) ? 'S' '-'));

// World
$info .= (($perms 0x0004) ? 'r' '-');
$info .= (($perms 0x0002) ? 'w' '-');
$info .= (($perms 0x0001) ?
           ((
$perms 0x0200) ? 't' 'x' ) :
           ((
$perms 0x0200) ? 'T' '-'));

echo 
$info;
?>
This script can be found here http://us2.php.net/manual/en/function.fileperms.php


It shows the permissions on a file within the server you are running, in this case Linux..

I have been trying to fix this, I havent come up with a solution so after 2 days I figure I give you guys a shot.
 
Old 10-05-2004, 03:44 PM   #2
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
The image on the right shows the permissions of a directory named 'files'.

Your script fetches the permissions of the file '/etc/passwd'.

Last edited by Stranger; 10-05-2004 at 03:45 PM.
 
Old 10-05-2004, 03:56 PM   #3
Hko
Senior Member
 
Registered: Aug 2002
Location: Groningen, The Netherlands
Distribution: ubuntu
Posts: 2,530

Rep: Reputation: 108Reputation: 108
Some FTP-servers have protection against setting dangerous permissions, like 0777. I know at least Pure-FTPd can do this.
 
Old 10-05-2004, 04:02 PM   #4
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
Also, why on Earth would you want to make a directory writeable by world? If I recall correctly, that would give anyone permission to write to or delete the directory itself. If you made it sticky, that would at least allow only the owner of the folder permission to delete it. Correct me if I'm wrong, but I don't think that your web server will override the file permissions.

In any case, this doesn't look like a good idea. You need to have some sort of user authentication to protect your resources. Otherwise you have anarchy.

Last edited by Stranger; 10-05-2004 at 05:43 PM.
 
Old 10-05-2004, 04:22 PM   #5
Hko
Senior Member
 
Registered: Aug 2002
Location: Groningen, The Netherlands
Distribution: ubuntu
Posts: 2,530

Rep: Reputation: 108Reputation: 108
Quote:
Originally posted by Stranger
Correct me if I'm wrong, but I don't think that your web server will override the file permissions.
From "man pure-ftpd":
Quote:
-R Disallow users (even non-anonymous ones) usage of the CHMOD command. On hosting services, it may prevent newbies from doing mistakes, like setting bad permissions on their home directory. Only root can use CHMOD when this switch is enabled.
 
Old 10-05-2004, 05:01 PM   #6
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
Hko: I missed the fact that he was using pure-ftpd (with which i'm not familiar), and you posted while I was responding to his original post.

I had no information about the original poster's setup. Since the URL he gave uses port 9000, I wondered if he might have his site hosted on his own computer via DSL or cable and using dynamic DNS through sytes.net (with which I'm not familiar-I guessed and later verified that sytes.net offers dynamic DNS), using port 9000 due to his ISP blocking port 80.

Instead of considering his FTP server, I mentioned his web server. I don't know whether he has overriden permissions with .htaccess or what. If the original poster hasn't considered the ramifications of setting a publicly available resource to 777, what's to say that he hasn't inadvertently left telnet or any other unsecured service running. I don't know the poster's level of competence when it comes to security. I don't know all that much myself. Even if the average user wouldn't know how to delete files on his server through http, someone with more knowledge might know a way or locate a script on his server which would allow him to delete the directory even with overrides in an .htaccess. Such a malicious person might even do worse. I don't know all of the ins and outs of who would have permissions to modify files through http and how, but leaving a directory as 777 doesn't sound wise to me.

Regarding pure-ftpd, I had no way of knowing whether the original poster had used the -R switch to protect himself. If he had discussed it on linuxquestions I missed the discussion. Considering that he might be running his own server, I don't even know if he is running as root to administer his site. I don't know how much he knows about the perils of doing that.

From his screenshot, I considered that he may have somehow verified that he did indeed set the permissions as he intended. In fact, the original post mentions setting permissions in FTP and in Linux which would indicate that DeathGoth tried setting or verified the permissions through a shell or file browser on the server, which would completely bypass pure-ftpd's safety measures.

Of course, changing the permissions of this directory won't address all possible security concerns. We can only patch one hole at a time.

Last edited by Stranger; 10-05-2004 at 05:45 PM.
 
Old 10-05-2004, 06:12 PM   #7
Hko
Senior Member
 
Registered: Aug 2002
Location: Groningen, The Netherlands
Distribution: ubuntu
Posts: 2,530

Rep: Reputation: 108Reputation: 108
Quote:
Originally posted by Stranger
Hko: I missed the fact that he was using pure-ftpd (with which i'm not familiar), and you posted while I was responding to his original post.
OK, I didn't realize your were writing your post at the same time. Sorry.
BTW, it's not a fact that he using pure-ftpd, but I posted about it to show this could be very well the reason why his script didn't seem to work. And I thought you didn't believe me...
Quote:
I had no information about the original poster's setup.
So, neither did I have more info than you.

My mistake. I'm Sorry.

Last edited by Hko; 10-05-2004 at 06:15 PM.
 
Old 10-05-2004, 06:38 PM   #8
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
Not a problem. I just wanted to clarify.
 
Old 10-05-2004, 06:56 PM   #9
DeathGoth
LQ Newbie
 
Registered: Jan 2004
Location: Pigh, Pa in the U.S.A.
Distribution: Redhat 9
Posts: 17

Original Poster
Rep: Reputation: 0
Ok sorry for stats problems guys.. here we go.

I am running this set up.

PIII 800
256 megs of PC 133 ram
100 gig HD
32 meg vid card and some lame sound card.

S/W Wise

Redhat 9 as stated in my avator
I am running a program called xampp it can be found here
http://www.apachefriends.org/en/

The things i am running on this server are these.

Apache, MySQL, PHP, Perl, ProFTPD, phpMyAdmin, OpenSSL, Freetype, libjpeg, libpng, gdbm, zlib, expat, ming, Sablotron, libxml2, Webalizer, pdf class, ncurses, mod_perl, FreeTDS, gettext, IMAP C-Client, OpenLDAP (client lib), Turck MMCache, mcrypt, mhash, SQLite, cURL, ZZIPlib, libxslt, phpSQLiteAdmin

I am using Proftpd to run as a server.

THe security issue you guys are fering to, I need to set the folder to 777 cause the script will not work other wise, it is a webscript to allow people to upload files to the server to share with others.

I cant seem to get it going right, I will link you to the file so you can see.

http://deathgoth.sytes.net:9000/files/

As you see the permissions were set to 777, I also set it sticky to that user, and still it says its not set.

http://deathgoth.sytes.net:9000/file.../fileperm1.php

here you can see it only states its at 644 not 777

this is the proftpd config for that user..

Code:
<Anonymous /opt/lampp/htdocs>
User a person
Group a group
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
DisplayFirstChdir .msg
AllowOverwrite off
<Limit LOGIN>
 Allow from all
 Deny from all
</Limit>
<Limit ROOT_DIR_ALLOW RETR LIST NLST MDTM SIZE STAT CWD XCWD PWD XPWD CDUP XCUP>
 AllowAll
</Limit>
<Limit ROOT_DIR_DENY DELE APPE STOR STOU SITE_CHMOD SITE_CHGRP RNFR RNTO MKD XMKD RMD XRMD>
 DenyAll
</Limit>
<Directory /opt/lampp/htdocs/*>
AllowOverwrite on
<Limit UPLOAD_DIR_ALLOW LIST NLST  STOR STOU  APPE  RETR  RNFR RNTO  DELE  MKD XMKD  RMD XRMD  SITE_CHMOD  STAT  MDTM  PWD XPWD  SIZE  CWD XCWD  CDUP XCUP  SITE >
 AllowAll
</Limit>
<Limit UPLOAD_DIR_DENY SITE_CHGRP >
 DenyAll
</Limit>
</Directory>
</Anonymous>
person and group names are changed for obvious reasons.
 
Old 10-05-2004, 07:27 PM   #10
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
Actually, I just did some tests.

* I logged in to a virtual terminal and logged in as another user.

* I changed the permissions of the home directory to rwx r-x r-x, giving the world permission to read.

* In the user's home directory, I created a directory named 'test' and changed the permissions of 'test' to rwx rwx rwx (777).

* I logged out of the first user's account and logged in to another account and changed to the other user's home directory.

* I tried to rename the direstory 'test', which resulted in a 'permission denied', because the parent directory (the user's home directory) didn't give the world permission to write.

* I also tried to delete the directory, which failed for the same reason.

* I changed directory to 'test' and touched 'test.txt', which created an empty file in the directory, owned by the second user, with permissions r-w r-- r--. (The new file did not inherit the directory's permissions.) Thus, the world can write to the directory and upload porn or illegal stuff to it.

* I switched back to the first user, and I changed the permissions on the user's home directory to 777.

* I switched again to the second user and changed to the first user's home directory.

* I renamed the directory successfully without any permission errors.

Conclusions:

* Setting a directory to 777 poses no risk of alteration to the directory name or location IF the parent directory doesn't give world permission to write.

* Having both the directory and the parent directory set to 777 poses a threat to the name of the directory from anyone.

* Having a directory set to 777 would allow anyone [with sufficient knowledge] to place anything in that directory.

* Of course, having a directory and its parent set to 777 would pose no risk of deletion to a non-empty directory, unless the world had permission to write to every file within the child directory.
 
Old 10-05-2004, 07:30 PM   #11
DeathGoth
LQ Newbie
 
Registered: Jan 2004
Location: Pigh, Pa in the U.S.A.
Distribution: Redhat 9
Posts: 17

Original Poster
Rep: Reputation: 0
I could have told you that.

anyway back to topic.
 
Old 10-05-2004, 07:44 PM   #12
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
I'm seeing all sorts of conflicting information here.

The image you referenced in your first post shows the permissions of the directory named /files/.

The script in your first post fetches and reports the permissions of the file /etc/passwd.

The page http://deathgoth.sytes.net:9000/files/ complains about the permissions of the directory /files/upload/.

I don't know which file http://deathgoth.sytes.net:9000/file.../fileperm1.php checks, because I can't see the script.

We're not comparing apples to apples here, and I don't know what to tell you.

Last edited by Stranger; 10-05-2004 at 08:18 PM.
 
Old 10-05-2004, 07:45 PM   #13
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
Quote:
Originally posted by DeathGoth
I could have told you that.

anyway back to topic.
Haha! I just wanted to experiment to allay my fears about setting a public resource to 777. I should have checked before spouting nonsense.

Last edited by Stranger; 10-05-2004 at 08:07 PM.
 
Old 10-05-2004, 09:00 PM   #14
DeathGoth
LQ Newbie
 
Registered: Jan 2004
Location: Pigh, Pa in the U.S.A.
Distribution: Redhat 9
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Stranger
I'm seeing all sorts of conflicting information here.

The image you referenced in your first post shows the permissions of the directory named /files/.

The script in your first post fetches and reports the permissions of the file /etc/passwd.

The page http://deathgoth.sytes.net:9000/files/ complains about the permissions of the directory /files/upload/.

I don't know which file http://deathgoth.sytes.net:9000/file.../fileperm1.php checks, because I can't see the script.

We're not comparing apples to apples here, and I don't know what to tell you.
http://deathgoth.sytes.net:9000/file.../fileperm1.php

that file i guess checks the permissons of who accesses the file to change whatever, I am not sure.. what the file is there is all the names and pws and such
refering to file /etc/passwd
 
Old 10-05-2004, 09:24 PM   #15
Stranger
Member
 
Registered: Feb 2004
Posts: 38

Rep: Reputation: 15
But http://deathgoth.sytes.net:9000/files/ doesn't need to know about /etc/passwd. It needs the right permissions for /files/upload/.

They used the file /etc/passwd as an example! You need to replace the text /etc/passwd in the script http://deathgoth.sytes.net:9000/file.../fileperm1.php with the name of the file for which you want to check permissions, which would be /files/upload/. (That's what I told you in my first response to you; your image showed one directory and the script checked a different file.)

As I said, the image you showed us in your original post shows us the permissions of the directory /files/. You need to check the permissions for /files/upload/, NOT /files/ and NOT /etc/passwd.

It looks to me as though you chmoded /files/ to 777, when you really need to chmod /files/upload/ to 777.

From your shell prompt _

Code:
$ chmod 777 /opt/lampp/htdocs/files/upload
I would also recommend that /files/ and /files/upload/ shouldn't both have 777, unless Proftpd also needs /files/ to be 777, which would be a poor design (as my experiment in my previous post shows). Perhaps /files/ should be more conservative, say 755.

Code:
$ chmod 755 /opt/lampp/htdocs/files
What we have here is a failure to communicate. It's all in the details.

Last edited by Stranger; 10-05-2004 at 10:13 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
permissions not staying using chmod after reboot dr_zayus69 Linux - Software 6 08-20-2005 04:34 AM
chmod won't change the file permissions midtown266 Linux - Newbie 12 11-28-2004 08:46 PM
Changing permissions (chmod) teyesahr Linux - Newbie 1 07-31-2003 05:52 PM
chmod and file permissions help qages Linux - General 5 01-27-2003 07:08 AM
Problems with file permissions Manyguns Linux - General 1 02-26-2002 10:51 AM


All times are GMT -5. The time now is 07:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration