Apache 0777 directories

aliahsan81 · October 21, 2008, 2:24pm

Hi All

I have a web server,I have many world writeable directories (0777),Created by programmers,for uploading pictures.
Now i want to stop script excuation (php,cgi,etc) in the directories 0777,I know one way is to use htaccess file,i dont wana used that,if some one know any other method using apache config file or any other methos it will be great.

Neo · October 21, 2008, 2:50pm

You want to stop script execution by whom? (which user ID or IDs)?

aliahsan81 · October 21, 2008, 2:55pm

No one can execute it.Script can be uploaded but no one can execute.in directory 777

Neo · October 21, 2008, 2:57pm

Change the scripts so they do not have execute permissions by anyone.

aliahsan81 · October 21, 2008, 3:00pm

I give you a brieff example.

I have small uplod script in php that upload jpg png and other files in my server under 777 directory.Now i want any one can upload any scrip like php cgi pearl etc.But i dont want apache to execute it as server side script.May some bad/ malicious code is beging uploded

Neo · October 21, 2008, 3:24pm

Yes, I understand.

So make the scripts not executable and they will not be executable.

aliahsan81 · October 22, 2008, 8:56am

Thx

What i did,Its easy and much secure, And any one can upload.and easy to use. What you all say

<Directory /var/usrdirname>
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .html
Options -ExecCGI

php_admin_flag engine off
</Directory>

Neo · October 22, 2008, 9:07am

If I were you, I would create an crontab function to change all the files in the directory of interest to read-only for security reasons. That way you have even more security.

aliahsan81 · October 22, 2008, 9:42am

yes

But in my setup i dont wana break current functionality,Then you know how programmer reacts.So i will be using what i said before

Neo · October 22, 2008, 10:49am

Then please explain why taking files that are not supposed to be executable and making them read only or read-write only will break current functionality?

What you are doing is good, but it is not enough to be fully secure.

aliahsan81 · October 22, 2008, 12:13pm

We never know what kind of software programmer make,may be they need some time picture with different extension,or my be they need to upload documents pfd or video file.that's why i am accpecpting all file to be uploaded but not allowing certain file to run on my server.

Neo · October 22, 2008, 3:08pm

Yes, we already know that.

You did not answer my question.

aliahsan81 · October 22, 2008, 5:06pm

Ohh yes you are right,i didnt understand your question,yes what you are saying is also perfect.
Thx Neo.

Neo · October 23, 2008, 3:50am

I am not suggesting that you do one, or the other.

I am saying you should do both, (1) use your .htaccess directives and (2) create a crontab to insure all files are not executable. You might also consider changing ownership (chown) of the uploaded files in combination with chmod.

This is called "defense in depth" - using more than one security defense in case the other one fails.

Relying on only one security control creates a higher risk of compromise.

aliahsan81 · October 23, 2008, 10:14am

Yes that perfect thing to do,I will start this to day INSHAHALLHA.

THX NEO,for you nice suggestion