I would be very comfortable with this thread being locked or deleted for security reasons.

How could a public file with all access permissions be hackable?
How does a file recognize me as an owner?
Could you give a simple example of bad coding practices using poor chmod settings?

I would be very comfortable with this thread being locked or deleted for security reasons.Are you asking for this to be deleted now? Or are you just saying it's ok if we later decide to delete it. I don't think there's any risk having this here, but since it does deal with hacking, we (the moderators) will keep an eye on it to be sure that nothing "too dangerous" is said. This is about preventing hacking, which does require some basic understanding of hacking, but it's not a guide about hacking. For that reason, for anyone replying, please don't post any details about how to hack-- just general methods and how to stop it.


As for your questions:
1. Well, if the user has permission to edit a file, then they can change it. I don't believe that HTTP allows editing files, so that's not really an issue. It's an issue when they use PHP indirectly to do it. Or FTP if you have an anonymous account.

2. The user (who is logged in) that accesses it on the computer is considered when giving access to a file. The owner (and other permissions) are stored for the file as part of the file (or next to it, I'm not sure). So, if you're using PHP, then whatever user has the PHP process running is the user. Or if you're logged onto the server directly, then it's your username.

3. I don't believe that chmod in itself is a security issue. But by allowing 777 or another high access setting, you can get a situation where, if there is another back door onto the server (eg, through a PHP script), then that file is editable. If those files are not 777-- if they're set to stricter security settings so that PHP cannot edit them-- then even someone with control over PHP can't mess with them.
So if your script allows for file-editing-injection (not sure what term this would be-- it's similar to mysql injection), then that's where the danger comes in.

A really bad script to write would be one that allows "FTP" access via PHP. Unless you're positive it's secure, it's a risk, because that would give the hacker immediate access to mess with your PHP files. Of course if the "FTP" script only allows uploading of images, then it's probably safe. But it's still important to be careful.

Another easy way to hack a server is to upload a PHP (or other serverside language) script. This is often done by pretending that it is an image-- upload "hack.php" as your avatar, then suddenly you have access to the entire server.
But it's also very easy to prevent this: use white-listing* techniques to only allow certain file types. In some cases (eg, with images) you can also verify that the contents are actually what they say they are. And you could check the headers too. Usually just checking the file extension is enough because your server will try to send a ".jpg" file as an image, and not execute it as PHP code, even if there's PHP code instead of image contents inside of it.

*White-listing is a technique where you create an "ok list" of file types. A slightly less secure version if black-listing where you list the types that are "not ok" such as PHP. But since there might be an unpredictable format that could be problematic, using white-listing is best-- just be sure to keep updating it if your users want to upload different types of files. And be aware of variations in extensions. For example, there are at least 3 valid extensions for JPEG images: .jpg, .jpeg, .jpe. (And caps versions-- .JPG etc).



Disclaimer: I'm not a security expert, a hacker, or anyone else truly qualified to say that "your server is safe". So just consider this a discussion rather than advice-- some details of what I said might be wrong, or (more likely) I've probably missed some important points.

No, if I wanted my post deleted I could delete it myself. I just wanted to make sure that I wasn't starting up a thread on potentially illegal methods of hacking, which is not what I want to do at all. I am only interested in preventing my site from being hacked.

I have admin files which are only accessible via the correct cookie and ip address. The admin files allow for creating new files, new database entries, renaming files, altering file permissions, uploading files, etc. I suppose I have a type of online ftp, but I am rather confident in the security I have in place and, yes, the upload portion only allows for images.

Well, renaming files can allow you to upload an "image.jpg" then rename it to "hack.php" and that's just as unsecure as anything else. Same goes for altering file permissions (if you mean at the server level, not within some sort of user system for your site's forum or whatever).

If you have strong security, that's probably fine. But if it gets compromised, that's all the more dangerous then.

Basically, if you don't have anything that could be dangerous, then that makes the potential for being hacked not dangerous either. But if being hacked (eg, into your admin pages) means total access to the server, it's more dangerous.

It's a choice you need to make as an administrator. It also relates to how strong your security really is. If it's truly unbreakable, then it doesn't matter.

Another important question is how important your website is. If you can live with the slight possibility of being hacked and then fixing everything, maybe it's not something to worry about. In a lot of cases, as long as you have backups, being hacked is not really all that horrible-- if it happens once a year, you can still manage. It's not fun, but it's also not so bad that you should put all of your time into preventing it. But if it is, for example, a bank website, obviously there is permanent damage involved then. So that's part of the things to consider.

Thanks for the information. I am not all that concerned about chmod issues for now. I do keep my website backed up every so often in case it gets destroyed, either by my own fumbling or someone else maliciously trying to damage my site. I am not all that worried about website security after the recent upgrades and fixes I made, but before I put this issue aside I am going to look things over a little more yet as a precaution.