I'm running an nginx web server on a Debian Wheezy system configured to run PHP through PHP-FCGI. Aside from setting permissions appropriately, for security reasons I'd like to forbid nginx and PHP to create files (or rename others accordingly) that match the location ~ \.php... rule, i.e. files that end on .PHP. How can I approach this?
Asked
Active
Viewed 61 times
1
Hendrik Wiese
- 151
- 7
1 Answers
2
Use the right permissions. Allow the user the php-fpm is running under to create files only in certian directories, and explicitly forbid php-fpm from handling the *.php files residing in those directories.
Something like that:
location ~* /writable/by/php-fpm/directory/.+\.php$ {
return 403;
}
above the usual php locations. So, avoid mode 777 at all costs.
Although this is a good security approach, this is rarely used, because the main concern is preventing attackers from gaining access to run their own code (and this is a superset of the problem you are asking about), which is done mainly in the PHP application code itself. So this approach is used mostly for securing the directories where files are uploaded by the users.
drookie
- 8,625
- 1
- 19
- 29
-
Thanks. I understand that this also means that tools like owncloud are denied to **read** (not execute) the PHP files inside the directory, is that correct? – Hendrik Wiese Oct 29 '16 at 08:11
-
This example above - yes, but you could also serve them as plain files, if needed, although I cannot imagine a situation when this would be suitable. – drookie Oct 29 '16 at 08:54
-
Okay, I'll check that out, thanks. A situation could be that you've got a dev project containing PHP files in an OwnCloud/WebDAV folder for instance. In that case you wouldn't want the PHP files to be executed but instead really served as plain text. – Hendrik Wiese Oct 29 '16 at 08:57