{"id":8643,"date":"2014-10-28T15:10:52","date_gmt":"2014-10-28T15:10:52","guid":{"rendered":"https:\/\/wp.okra.host\/article\/writing-to-files\/"},"modified":"2021-03-07T21:29:16","modified_gmt":"2021-03-07T20:29:16","slug":"writing-to-files","status":"publish","type":"ht_kb","link":"https:\/\/kb.okra.host\/de\/article\/writing-to-files\/","title":{"rendered":"Schreiben in Dateien"},"content":{"rendered":"

Overview
\n<\/strong><\/h2>\n

PHP operates as a separate user to enhance security across the server. In the event of a hacking event on a client\u2019s site, the attacker only has access to what it can access, which protects sensitive e-mails and SSH keys that reside within the same storage space. Certain applications like\u00a0WordPress\u00a0<\/em>and\u00a0Drupal will complain that the application cannot write to storage typically manifested as a Permission Denied<\/em>\u00a0error:<\/p>\n

Warning<\/b>: fopen(<filename>) [function.fopen]: failed to open stream: Permission denied in <filename><\/strong>\u00a0on line 1<\/b><\/p><\/blockquote>\n

Solution
\n<\/strong><\/h2>\n

Selectively grant\u00a0write access (717 permission<\/a>) to files and folders that you wish to let the application\u00a0access. Permissions may be modified within the control panel under\u00a0Files\u00a0<\/strong>>\u00a0File Manager\u00a0<\/strong>> Properties <\/strong>action.<\/p>\n

Permissions may be applied recursively to\u00a0reduce the number of steps required to allow a web application sufficient write access, but bear in mind anywhere a web application can write to, so can an attacker if your site gets hacked.<\/i>\u00a0It is best to change permissions on directories where file uploads may occur and manually install plugins to reduce\u00a0your risk of getting hacked by failure to keep software updated.<\/p><\/blockquote>\n

Files created by the web server may be managed immediately though the\u00a0File Manager<\/strong> or the following day by FTP once nightly housekeeping completes.<\/p>\n

Important:<\/strong> traditionally, PHP and site files operated under one user, for two major reasons: accountability<\/em> and ease-of-use<\/em>. Accountability in that service providers providing unlimited resources can better target accounts that are unsuitable for a truly \u201cunlimited\u201d hosting plan (ie. consuming too many cpu resources). Running all WordPress applications under the same user allows administrators to flag abusive accounts that might lie above a bell curve<\/a>. Second, it\u2019s easy to update files when all files accessed by the web server are owned by the same user. Permissions are not an issue<\/a>. Just let the user update WordPress from WordPress\u2019 dashboard and done.<\/p>\n

But there\u2019s a huge problem running under one user!<\/em> Any request on the domain, whether legitimate or forged,\u00a0can be leveraged by an attacker. Because, the HTTP request assumes the same ownership as you, any PHP exploit[1<\/a>][2<\/a>][3<\/a>][4<\/a>][5<\/a>] can be first leveraged to gain access,\u00a0then bootloaders<\/em> (simple\u00a0file managers) can be injected\u00a0into any PHP script allowing an attacker to upload malicious scripts elsewhere so long as he knows the special key.\u00a0Exploits do happen. Update\u00a0regularly!<\/strong><\/em><\/p>\n

By running as a separate user, the window of\u00a0opportunity is greatly limited. Only files that you explicitly authorize write access<\/em> can be modified by a PHP application. If a hacker can\u2019t modify the file, then the hacker can\u2019t inject a bootloader or other malicious code. Only let the web server write to locations that are necessary for operation. Setting permissions to 717 on only those directories\/files that are updated regularly by a PHP application\u00a0is a great solution<\/a> to reduce your surface exposure. But, don\u2019t set these permissions on all files or your account is just as insecure as running under\u00a0one\u00a0user.<\/p><\/blockquote>\n

See Also<\/strong><\/h2>\n

Permissions\u00a0Guide<\/a><\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Overview PHP operates as a separate user to enhance security across the server. In the event of a hacking event on a client\u2019s site, the attacker only has access to what it can access, which protects sensitive e-mails and SSH keys that reside within the same storage space. Certain applications…<\/p>","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[63],"ht-kb-tag":[],"class_list":["post-8643","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-php"],"_links":{"self":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/comments?post=8643"}],"version-history":[{"count":2,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8643\/revisions"}],"predecessor-version":[{"id":8826,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8643\/revisions\/8826"}],"wp:attachment":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/media?parent=8643"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-category?post=8643"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-tag?post=8643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}