apache 设置上传文件夹 777 权限安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1577514/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is setting the uploads folder 777 permission secure?
提问by Gabriel Solomon
I have seen a lot of upload forms hacked, and some had some really good security checks of the file being uploaded (at least I think so), but still somebody managed to upload a PHP file.
我见过很多上传表单被黑,有些对上传的文件进行了一些非常好的安全检查(至少我是这么认为的),但仍然有人设法上传了一个 PHP 文件。
I was wondering: is there is a way to upload a file in the uploads folder that has 777 permissions? I am thinking of using HTTP PUT.
我想知道:有没有办法在上传文件夹中上传具有 777 权限的文件?我正在考虑使用 HTTP PUT。
回答by Gabriel Hurley
In general 777 is about as insecureas it gets... that means anybody can read and write to your files.
一般来说,777 是不安全的......这意味着任何人都可以读取和写入您的文件。
HTTP PUT isn't inherently any more secure than HTTP POST if you're allowing the uploaded files to be exceuted on your server.
如果您允许上传的文件在您的服务器上执行,则 HTTP PUT 本质上并不比 HTTP POST 更安全。
Overall, if you areallowing arbitrary files to be executed you need to be doing very good file checking server-side, and using chroot on the server would be wise.
总的来说,如果你被允许任意的文件执行,你需要做非常好的文件检查服务器端,并在服务器上使用的chroot将是明智的。
Permission-wise, I generally set anything web-accessible to 644 owned by the webserver user.
在权限方面,我通常将任何可通过网络访问的内容设置为网络服务器用户拥有的 644。
回答by Abu Aqil
Folder permissions is just to make sure your httpd/Apache user can write to that folder. Actually you don't need to chmod 777 for your storage folder. Just make sure to either set owner to root and group to the Apache/httpd user you are running or just simply set the folder owner to your Apache user.
文件夹权限只是为了确保您的 httpd/Apache 用户可以写入该文件夹。实际上,您不需要为您的存储文件夹 chmod 777。只需确保将所有者设置为 root 并将组设置为您正在运行的 Apache/httpd 用户,或者只是将文件夹所有者设置为您的 Apache 用户。
chmod 774 /upload/folder: writable for owner and group and the others just read.
chmod 774 /upload/folder: 所有者和组可写,其他人刚读过。
PHP: if somehow that folder refers to user document root folder you can disable the PHP engine for that particular virtualhost.
PHP:如果该文件夹以某种方式引用用户文档根文件夹,您可以禁用该特定虚拟主机的 PHP 引擎。
If that folder is part of your system/application document root folder editing the .htaccess file and using the removeHandler Apache directive might do the trick.
如果该文件夹是您的系统/应用程序文档根文件夹的一部分,则编辑 .htaccess 文件并使用 removeHandler Apache 指令可能会成功。
回答by Daff
You don't need and shouldn't have a 777 permission on an upload folder. It should be enough to have it only read and writeable for the user the Webserver is running in (with apache/debian usually www-data). Additionally you should turn off (e.g. via .htaccess) anything you don't want to happen in this folder, like executing PHP scripts (so even if it happens that a user uploads a PHP it can't be executed). HTTP PUT doesn't change your 777 problem, cause the file will still be there after it has been uploaded.
您不需要也不应该对上传文件夹拥有 777 权限。让它只对运行 Web 服务器的用户可读和可写就足够了(使用 apache/debian 通常是 www-data)。此外,您应该关闭(例如通过 .htaccess)您不想在此文件夹中发生的任何事情,例如执行 PHP 脚本(因此即使用户上传了 PHP,它也无法执行)。HTTP PUT 不会改变您的 777 问题,因为文件上传后仍然存在。
