5

I am often confronted with negative comments whenever I want to have a PHP script write output to a file on the server.

I use the fopen(), fwrite() and fclose() functions.

The only way I know how to make this happen is to either set the permissions for the output file to 0666 or have it owned by "nobody" (which is the user that PHP runs under on our Apache web server).

So, if "0666" or "owned by nobody" are security risks, how do you successfully and securely allow a PHP script to write to a file?

Thanks for sharing guidance on this topic.

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
H. Ferrence
  • 7,906
  • 31
  • 98
  • 161
  • Please explain how you are 'compromising server security' by allowing your own script to write to a file. Is writing to a DB also a security risk? Just make sure your code has no security bugs. As long as things are done right, then there are no problems. – Flukey Feb 13 '12 at 13:55
  • @Flukey ... therein lies the purpose of my question. I don't clearly see the issue. But anytime I mention I have a 0666 file on the server or a file owned by the user that PHP runs under, I receive caveat comments that go along the lines of ..."and of course you know you are opening your server to security risks". I simply want to write effective scripts without compromising server security. – H. Ferrence Feb 13 '12 at 13:59
  • 1
    As long as the file being written to is outside of the public Apache directory, then I don't see a problem. Their comments are ignorant. – Flukey Feb 13 '12 at 14:02
  • (@Flukey) Ah ha....then maybe we are getting closer to the heart of the matter. Their comments are not ignorant because the file does, in fact, reside within the public Apache directory. – H. Ferrence Feb 13 '12 at 14:19
  • So, in other words, if a file is owned by "nobody" yet resides outside the public Apache directory, then there is no security issue -- provided, of course, that my PHP script does nothing within itself to compromise server security? Forgive me for what may be perceived by SysAdmins to be a stupid question, but I am a developer and not a SysAdmin (but I am concerned about the security of my server). – H. Ferrence Feb 13 '12 at 14:21

2 Answers2

3

If you need to access the files from PHP after they are uploaded then they need to be stored with permissions that let the web server (apache in this case) access them. The risk that people speak of is that some script on your site could be fooled into serving up the file. It is a hypothetical risk, but one that has occurred with many Content Management Systems. To mitigate this risk:

  1. Make the file name and path not easily guessable. If a user has a path to getfile.php?file=1.txt they can readily infer that there is a 2.txt as well. Crypt the name or make it unsequenced.
  2. Make any script that serves up files affirm things such as the logged in user, authorization to the resource and strip anything from the file name containing a path to avoid rogue references to /etc/passwd and the like.

If you just need to drop the file off and never serve it or access it via PHP again, you have some more options. Either use the chmod or chown commands to make it unreadable to the apache user. If you want to be extra paranoid, have a cron script move the file (and rename it) to a location unknown within the PHP source. At least then if your server is hacked the intruder can't walk right into the directory, but we are getting toward the point where the discussion veers into operating system security.

Duane Gran
  • 490
  • 4
  • 9
  • Thanks @DuaneGran. I will read through your answer and digest it more thoroughly shortly. But my first reaction is what do you mean by "Hash the name"? And, how do you do that and stil use it in the script? – H. Ferrence Feb 13 '12 at 14:27
  • @Dr.DOT I was mistaken to suggest a hash because that is one way. My bad. As it happens, this very recent question has answers about easy crypt/decrypt functions that would work for the filename: http://stackoverflow.com/questions/9262109/php-simplest-two-way-encryption – Duane Gran Feb 13 '12 at 14:30
-1

The risk is if that writable directory resides in an area accessible to the outside world. Then those with the right tools and know how can write anything they want to that directory... or file. They can then place malware in it or create a phishing scheme on your site.

Really they can do all kinds of things to compromise you. I have seen this on my own servers and haven't really found the right solution to this.

user263688
  • 1