Apache Secure Website With Writable 777 Directories

Content management, forum and other website software often require directories that are writable in order to function properly.

Many jump to using suexec or suPHP instead of the 777 method, but there is a more secure method of hosting your website. Did you know that suexec and suPHP essentially gives the web server user full write ability to all the folders and files of your website? This means that when an attacker uploads his/her shell script and they will, it will allow them to modify any of your files inserting backdoors where ever he/she wants even though the directories and files are not set to 777.

Hosting your site with the 777 method is preferred because these folders and files become the only target and because of that we can have tighter control limiting the depth of the attack.

Using a simple .htaccess file in each of these directories we can prevent uploaded scripts from being executed in these folders and this leaves all the other files and folders untouchable because the webserver user does not have permission to write to them.

.htaccess

<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml|sh)">
    Order allow,deny
    Deny from all
</Files>

Many will argue that this method is only good for a single site on a single server or VPS but that simply is not true anymore. Shared hosts can take advantage of this method when coupling it with CloudLinux and CageFS. For a shared host to successfully implement this, it will also need litesepeed enterprise webserver.

Configuring Litespeed webserver to use CageFS on CloudLinux using the PHP Daemon Mode will essentially run PHP using the 777 method but will isolate the process within the CageFS environment. This makes the 777 method the obvious choice over suExec and suPHP because not only does it prevent one website from accessing another sites files but it also provides the protections of the 777 method making the site itself secure from backdoor injections.

For sensitive directory with 777 you can disable the PHP engine entirely by create .htaccess within it and append the following

# disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>

by Stephen@governmentsecurity.org, updated by Netsblog.

You may also like...