Monday, June 14, 2010

suPHP - 600 permissions mess up css/images

SkyHi @ Monday, June 14, 2010


Hi all,



I'm using suphp to secure a shared web hosting server and am confused about one issue I'm having. It is my understanding that using suphp, you should be able to chmod 755 all directories and chmod 600 all files since apache runs the .php files as the user.



However, when I chmod 600 all files, the formatting of the sites gets messed up. It loses all css and if you try to view image files in the browser you get a permission denied error. Why is that?



As a temporary solution, I can chmod 644 all files and then 600 only sensitive files like config files (wp-config.php for WordPress for example), but I'd rather just chmod 600 everything.



Can anyone explain why 600 doesn't work?



With 644 permissions, any user could upload a script like:




Code:

<?php
$filename = realpath("/home/user/public_html/wp-config.php");
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo '<textarea name="textareaName" rows="46" cols="103">'.$contents.'</textarea>';
?>

and view another users's file if it is 644.



Thanks a lot for the help.

===============================================================
===============================================================



Using 600 permissions would only be for PHP files.



Apache still runs as nobody (or some other user) and needs the other user bit to be set to read.



http://www.yoursite.com/file.html



would be read as the Apache user, nobody, and would therefore need to have permissions of 644. The last 4 in that set is for the other or world bit, stating 4 here means that other users (i.e. not the owner of the file or the group owner of the file) can read the file. This is what is required for HTML, CSS, and Image files.



http://www.yoursift.com/file.php



is a PHP file. In a suPHP environment, this means that access to this file is passed over to the suphp wrapper, which executes the file as the defined suPHP_UserGroup user defined in your Apache configuration (after some sanity checks to make sure that owner really owns the file). For this reason, PHP files can have permissions of 600 and be viewable on the web.



In practice though, there's really probably no need to have every PHP file set to 600 level permissions. You should use 600 level permissions for any script that contains any type of login information, such as MySQL database login information. This may only be in one file when talking about a PHP project such as Wordpress.


REFERENCES
http://www.webhostingtalk.com/showthread.php?t=874837