Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [tlug] Efficiently executing a cron job on my webhosting server



 On Fri, 6 Jul 2007 12:20:09 +0900, 
 "Dave Gutteridge" <ebisudave@example.com> wrote 
 in <7d27112b0707052020h293cbf71se22c91761135d686@example.com>:

> 
> The second is, the first time I ran the above command in 
> cron, I got an error message (via my admin email) saying 
> "permission denied". I changed the permissions to 777 just to 
> get it working. But what is the most appropriate permission 
> setting for a PHP script I'm intending to execute this way?
>

Verily I say, 777 is the number of the beast, and it shall spill
out famin across the land.

'chmod 777 anything' is like saying to the world "Hey, take me, I'm
yours."

Especially with a file that is already an accepted script.

With a file chmoded to 777, anyone who can get access to the file can
Change the file and execute the file.  If it is already a script, this
is worse because it means that you are less likely to investigate
generic log messages saying it has been accessed.  Afterall, executables
execute, right?

Even if it were just a text file, anyone who has a Linux or Unix box, or

is just familiar linux and unix (could be windows even), could make a
safe guess as to the location of your interpreters and turn the
777ed text file into a bash, perl, ruby, or php script (or a number of
other things that they could assume might be on your machine) and do
ugly things with it.

Yes, it is true that most machines are out in the middle of cyber space
and no one cares what is on them, or wants to spend a lot of time
breaking in too them when they could just as easily send a random
Windows
user a trojen and get them to install it themselves, but security is not
about keeping out the average person, or the average attacker.  It is
about the possible attacker.  That one random person who may never show,
but if they do your screwed.

Yes, obscurity is a good tactic, but don't depend on it entirely.
Anything that is accessable publicly should not be chmoded past 755.
It should not be world writable, and in most cases it does not need to 
be world executable either.  Make it readable and executable by the web
server, and if a file needs to be writable by the server, set that too.
:)  
Don't be too generouse Though.  777 is something that should probably 
never be used on a web server.  :-)  I think it is ok on a local
share directory on a shared machine, but not anywhere that the web
server can just say http://mydomain/myscript.php or similar. ^^







Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links