Apache Secure Website With Writable 777 Directories
Content management, forum and other website software often require directories that are writable in order to function properly.
Many jump to using
suPHP instead of the
777 method, but there is a more secure method of hosting your website. Did you know that
suPHP essentially gives the web server user full write ability to all the folders and files of your website? This means that when an attacker uploads his/her shell script and they will, it will allow them to modify any of your files inserting
backdoors where ever he/she wants even though the directories and files are not set to
Hosting your site with the
777 method is preferred because these folders and files become the only target and because of that we can have tighter control limiting the depth of the attack.
Using a simple
.htaccess file in each of these directories we can prevent uploaded scripts from being executed in these folders and this leaves all the other files and folders untouchable because the webserver user does not have permission to write to them.
<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml|sh)"> Order allow,deny Deny from all </Files>
Many will argue that this method is only good for a single site on a single server or VPS but that simply is not true anymore. Shared hosts can take advantage of this method when coupling it with CloudLinux and CageFS. For a shared host to successfully implement this, it will also need litesepeed enterprise webserver.
Configuring Litespeed webserver to use CageFS on CloudLinux using the
PHP Daemon Mode will essentially run
PHP using the
777 method but will isolate the process within the CageFS environment. This makes the
777 method the obvious choice over suExec and suPHP because not only does it prevent one website from accessing another sites files but it also provides the protections of the
777 method making the site itself secure from
For sensitive directory with
777 you can disable the
PHP engine entirely by create
.htaccess within it and append the following
# disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule>
by Stephen@governmentsecurity.org, updated by Netsblog.