人们可以将.php文件写入我的chmod 777文件夹吗 [英] Can people write a .php file to my chmod 777 folder
问题描述
黑客(或其他人)是否有可能将php文件上传/写入我网站上具有chmod 777的文件夹中?
Is it possible for hackers ( or other ) to upload/write a php file to a folder on my site that has chmod 777?
示例:
我有一个包含chmod 777的文件夹. 该文件夹包含图像. 我使用.htaccess阻止索引文件夹.
I have a folder that has chmod 777. That folder contains images. I use .htaccess to block indexing the folder.
修改后的问题: 人们可以通过在他们的网站上使用PHP脚本将.php文件写入具有chmod 777的我的文件夹中吗?例如,列出该文件夹中的所有图像
Reformed question: Can people write a .php file to my folder that has chmod 777 by using a PHP script on their website? For example , to list all the images in that folder
(我熟悉用于上传文件夹等的正确chmod,只是假设地询问它)
( I'm familiar with the right chmod for uploading folder etc .. , just asking it hypotheticaly )
推荐答案
有很好的机会,该计算机的任何合法用户都可以将.php文件或他们想要的任何其他内容写入该开放目录. 777目录在共享主机上几乎没有位置. (/tmp有时可能是1777,用于设置目录上的粘性位-仅允许文件 owner 删除目录中的文件.通常,777表示任何人都可以从目录中删除任何文件.但是/tmp在共享托管环境中肯定不受欢迎,因为它本质上是不安全的.)
Chances are very good that any legitimate user of that machine can write .php files, or anything else they want, to that wide-open directory. A 777 directory has almost no place on a shared host. (/tmp may sometimes be 1777, to set the sticky bit on the directory -- that allows only a file owner to delete a file in the directory. Normally, 777 means anyone can delete any file from the directory. But /tmp has definitely fallen out of favor on shared hosting environments because it is inherently unsafe.)
所以:您是计算机上的唯一用户吗?还是与其他人共享这台机器?除Web服务器外,这台机器是否还运行其他任何服务?如果是这样,那些其他服务也可能代表着一种可能的攻击媒介.
So: Are you the only user on the machine? Or is this machine shared with anyone else? Does this machine run any other services besides web server? If so, those other services might represent a possible attack vector as well.
此外,如果您在目录上的权限设置为777,我想知道您正在运行的PHP文件有多安全-我已经看到很多人在运行不安全的PHP脚本,这些脚本允许攻击者进行修改整个Web服务器上的每个HTML文件都会感染浏览该网站的用户. (是的.很多.很多很多.)
Furthermore, if your permissions are set to 777 on your directory I wonder just how safe the PHP files you're running are -- I've seen many cases of people running insecure PHP scripts that allow an attacker to modify every HTML file on the entire web server, to infect people browsing the site. (Yes. Many. More than a handful by a lot.)
这就是为什么您的Web服务器运行的任何用户帐户都不应拥有该网站的任何文件-静态页面和动态页面的原因. Web服务器应仅具有足够的写特权,才能写其access.log,error.log并与数据库服务器通信.除此之外的任何其他权限都可以轻松解决其中一个脚本中的良性错误,成为可利用的漏洞,可让您的网站被用来攻击其他人.
This is why whichever user account your web server runs as should not own any of the files of the website -- both static pages and dynamic pages. The web server should have only enough write privileges to write its access.log, error.log, and talk with a database server. Any additional privileges beyond this makes it far to easy for an otherwise benign bug in one of your scripts to become an exploitable vulnerability that allows your site to be used for attacking others.
777是个坏主意.解决这个问题.确保您的Web服务器没有对任何Web内容的写许可权.确保服务器上没有其他服务对您的Web内容具有写权限.确保服务器上没有其他用户对您的Web内容具有写权限.
777 is a bad idea. Fix that. Make sure your web server does not have write permission to any of the web content. Make sure no other service on the server has write permission to your web content. Make sure no other users on the server have write permission to your web content.
更新
这比听起来容易.创建一个新的webcontent用户.如果您的Web服务器已经拥有自己的一组,请使用它并将其命名为webgroup.如果还没有,也创建一个新的webgroup. (如果您的VPS没有自己的机制,则为adduser(8)和addgroup(8).)然后为所有Web内容设置所有者:
This is easier than it sounds. Create a new webcontent user. If your web server already has a group of its own, lets use it and call it webgroup. If it doesn't yet, create a new webgroup as well. (adduser(8) and addgroup(8) if your VPS doesn't have its own mechanism.) Then set the owner for all your web content:
chown -R webcontent:webgroup /path/to/web/content
修复权限:
find /path/to/web/content -type d -print0 | xargs -0 chmod 750
find /path/to/web/content -type f -print0 | xargs -0 chmod 640
然后确保您的Web服务器正在使用 Group webgroup 指令以确保它仍然可以读取所需的所有文件.
then make sure your web server is using the Group webgroup directive to ensure that it can still read all the files it needs.
这将使您的Web服务器具有对所有脚本和配置的 read 访问权限,但是,如果Web服务器本身被黑客入侵,则将无法对其进行任何修改.
This will let your web server have read access to all your scripts and configuration, but if the web server itself is hacked, it can't modify any of it.
这篇关于人们可以将.php文件写入我的chmod 777文件夹吗的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
