LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-29-2012, 06:59 PM   #1
devusr
LQ Newbie
 
Registered: Apr 2012
Posts: 3

Rep: Reputation: Disabled
chmod for web log files


Hello,

I am trying to debug an website issue and want to write to a log file from a PHP script. I don't want users, spiders, etc to be able to read or write the file.

As I understand it chmod 700 will give the owner exclusive read/write permission, but will the website PHP script be able to update the log file, and will I be able to download the log file with FTP?

The client's site is on a share hosting godaddy linux server.

Your help is greatly appreciated.
 
Old 04-30-2012, 12:10 AM   #2
blue_print
Member
 
Registered: May 2010
Location: In world
Distribution: RHEL, CentOS, Ubuntu
Posts: 275
Blog Entries: 3

Rep: Reputation: 49
1. Which user is running the php scripts? Most probably that user will write in the log files. Certainly, you can limit the access to a file for a particular using ACL

http://www.centos.org/docs/5/html/De...s-setting.html
 
1 members found this post helpful.
Old 04-30-2012, 04:24 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
There are a couple of challenges you face. As blue_rint has alluded to, which user is running the PHP scripts. If it is your website (apache), this typically runs under a non-privileged account that is locked and does not have a home folder by design. This will limit the places in which this account can actually write anything to disk. When applications such as Apache (PHP) need to write to disk the /tmp folder, which has 777 permissions is usually used. In terms of the permissions, a properly secured Apache (PHP) should NOT allow a remote connection to view files outside of the directory tree or access the /tmp folder. I say properly secured because one of the most common exploits used today is to coerce Apache + PHP into giving access into locations it should not have; this beign caused primarilly by poorly written user code rather than the applications themselves (as long as they are sufficiently up to date and have the recommended settings).

So, the short answer is that your PHP application should be able to write to /tmp and spiders and (non shell account) users, etc should not normally be able to access it, unless you have a security breach.
 
Old 04-30-2012, 06:46 AM   #4
devusr
LQ Newbie
 
Registered: Apr 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Think it is resolved. Thank you!

Thank you Norway2 and blue_print for your replies. I tested writing to the log from the website, and changed permissions on the file to 700. I was able to write to the log after changing permissions, download it and view it, but I couldn't access it with a URL in a browser, so I am thinking it's secure. Does that sound right to you? I might change it to write to tmp instead and test it again.
 
Old 04-30-2012, 08:23 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
but I couldn't access it with a URL in a browser, so I am thinking it's secure. Does that sound right to you?
This question can't be answered in absolute terms, at least with the information you have provided. See this thread for a recent example of where a PHP vulnerability was used to gain access to directories outside of the web documents and execute code: http://www.linuxquestions.org/questi...y-help-940481/

Chances are that it is "secure" against most and normal usage, but if you are concerned about information being leaked when confronted with a seriously pathological case you should seriously consider what type of information you are logging.
 
Old 04-30-2012, 04:32 PM   #6
devusr
LQ Newbie
 
Registered: Apr 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thank you!

Thank you blue_print for your reply.

I'm logging some info for temporary debugging, but it does log some names. I just don't want anyone to be able to read names, emails. I decided to send notification to myself when the log is updated, download it and clear the log (not huge traffic - a few users a day).

Thank you again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache: difference between chmod 644 and chmod 666 and chmod 600 for output/txt/dat? frenchn00b Programming 6 04-22-2009 01:10 PM
chmod 775 to only the directories and chmod 664 to only the files? apachenew Linux - Security 6 09-27-2007 03:26 PM
How to write a script to change web log files? tomwgf Linux - Desktop 6 02-07-2007 09:38 AM
Opennms Logs - where are web.log, web_rtc.log and webauth.log referenced? not_much_of_a_guru Linux - Networking 0 07-12-2006 10:28 AM
Help! Clear web.cache and log files on server DogByte Linux - Newbie 1 09-20-2005 06:51 PM


All times are GMT -5. The time now is 11:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration