Security of symlink to directory outside webroot set to 777?

Posted on

Security of symlink to directory outside webroot set to 777? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, permissions, symlink, , .

I have a few websites that use the same cached weather reports so I wanted them all in the same folder. It seemed the most logical way to do this would be to but this folder outside of the webroot. It also seemed the easiest way to access this new folder would be to set sym links from the old folders within the webroot.

What I am concerned about is I’ve had to set the new directory to 777 as I am using FasCGI for my PHP and therefore each website has a different user.

So first question, what are the security implications – is this the same as having a 777 folder within the webroot?

Secondly. If this is a problem what is the best solution.

BTW this is on Centos 6.2 server running Plesk 10.4 if that makes any difference.


Solution :

About the security implications I cannot say, but I think if an attacker has managed to exploit the weather data is your smallest problem.

About the permissions – make all web users members of common group (if they aren’t already) and change the ownership of the files. That way you can grant access only to the group. Also why the web users need write access on the files?

It is possible to share a directory between multiple virtual hosts on an Apache webserver using the Alias directive in mod_alias. You would need to place something like this stanza in each <VirtualHost> entry like so:

<VirtualHost *:80>

    ScriptAlias /cgi-bin/ "/path/to/webroot/.cgi-bin/"

    <Directory "/path/to/webroot">
        Options Indexes Includes FollowSymLinks ExecCGI
        AllowOverride All
        AddHandler php5-fastcgi .php .php5 .php4
        Action php5-fastcgi /cgi-bin/php5.fcgi
        Order allow,deny
        Allow from All

    Alias /reports "/path/to/weather/reports"
    <Directory "/path/to/weather/reports">
        Order allow,deny
        Allow from all

This would map the files in /path/to/weather/reports to so you can place saner file permissions on /path/to/weather/reports. The directory should require proper permissions for Apache to traverse it, so you can follow tsurko’s recommendation and set up a group (e.g., fcgiusers), add the users to the group (by running a command like usermod -a -G fcgiusers USERNAME), and give the group permissions to the folders and files in the shared location. These commands run with root privileges should do the trick:

chown -Rv apache:fcgiusers /path/to/weather/reports;
find /path/to/weather/reports  -type d -exec chmod 0775 {} ;
find /path/to/weather/reports  -type f -exec chmod 0664 {} ;  

Leave a Reply

Your email address will not be published.