Permissions file_exists on /home/user/..

P

Pieter

Verified User
Joined
Mar 27, 2016
Messages
29
Running a server wide admin panel accessible through my hostname, the scripts are located in /var/www/html/

Just noticed that my PHP script (running user:apache?) is unable to use file_exists on files located in my /home/user/ directories. No errors, no warnings.

Changing the permissions of my user folders from 710 to 711 fixes the issue.

Are there any downsides to this approach (I'm the owner and only user of the sites hosted on this VPS) or are there any other (simple) solutions?
 
Hello Pieter,

In case of a hacking attack if they get access to /var/www/html/ or another user's files under /home/ they might get content of all other users files as well in this case.

Pieter said:
Are there any downsides to this approach
Click to expand...
 
Thank for the reply zEitEr!

Double checked by having PHP creating a file and it is running as 'webapps' user under /var/www/html/

Saw the following relevant old post:
DirectAdmin Support

Post in thread '/home/user/public_html permissions'

Hello,

Idea! ;)

Clean, simple, effective.
Initial tests show it works, nothing messy, and without the ugly group negation.

We set /home/username/domains to 710,
chown username:access

where group "access" is a group allowing apache (httpd), nobody (anon ftp) and mail (exim, dovecot) to see in.

Code: 
groupadd access
usermod -G access apache
usermod -G access nobody
usermod -G access mail
for i in `/bin/ls /usr/local/directadmin/data/users`; do { chgrp access /home/$i/domains; chmod 710 /home/$i/domains; }; done;
I can see no reason why this wouldn't solve everything.

It...

Alternatively: would adding the user 'webapps' to the group 'access' be a (more secure) solution? If so, is editing /etc/group/ sufficient?
 
Pieter said:
Alternatively: would adding the user 'webapps' to the group 'access' be a (more secure) solution? If so, is editing /etc/group/ sufficient?
Click to expand...

You are the own to take all the risks. I don't know what application you run there and why you want to give it a server wide access. Hence I can't say whether or not it will be more secure.
 
If you really need something to interact with user home from your own script locate in "/var/www/html/", I recommend to using the DA API integration.

Those permission hack for workaround is bad idea.
 
Thanks all for the replies!

Server wide access is not required, just a simple file_exists for a few files (images) located in a /home/user/ directory but I understand there is no workaround without additional risks.
 
Pieter said:
located in a /home/user/ directory
Click to expand...
If it's just 1 user, why not put the script in his public_html or something? If required to prevent it being deleted, chown it to root or admin and he can't delete it. Or make it immutable.;)
 
Last edited:
That was my previous situation :)

I had 10-15 different password protected folders and subdomains containing admin panels and other admin scripts (statistics, export scripts, webhooks etc.) listed under various /home/user/ folders.

Combining all these scripts under one password protected area (/var/www/html/) works great except for one script using file_exists..
 
Richard G said:
If required to prevent it being deleted, chown it to root or admin and he can't delete it. ;)
Click to expand...

That will probably surprise you, but files and directories owned by root can be deleted by a user when connected over FTP. So if you place a file owned by root under a user's homedir, they can still remove it over FTP. So users can remove everything under their homedir, unless you chattr files/directories.
 
zEitEr said:
That will probably surprise you
Click to expand...
Oh wow.... that indeed surprised me that this is possible. I thought FTP would oby the owner rules, but indeed it's not.
Then indeed only other option is chattr.
Thank you for correcting me. I adjusted my post accordingly.
 
You must log in or register to reply here.
Back
Top