On Fri, 23 Dec 2005 15:34:57 +0100, Jim shouted Hoy......
>> If you have a piece of Web-based software, be careful. If hacked
>> (assuming it
>> allows the user to upload files) expect this case of hijacking to put
>> the entire Web server in jeopardy. Choose good software; choose
>> hard-to-crack passwords.
>
> Only the .txt and .xml file are 666, but I guess that means everyone can
> replace the content? ( I am not sure how they can do that?) I do a PHP
> "include" for one of them, but I guess that is a bad idea as replaced
> content in <? hack ?> can very harmful...
Are the text and XML files owned by the web servers user?
If so (assuming a *nix server) then the permissions can be set 600
Additional I would
chmod -t 600 <filespec>
When -t set for a directory, it means that only the owner of the file and
the owner of that directory may remove the file from that directory.
Group permissions should not be needed nor permissions for "others".
And
chattr -A <filespec>
Its atime record is not modified. This avoids a certain amount of disk I/O.
--
Dancin' in the ruins tonight
mail: echo onub-hgbg@xxxxxxxxxxxxxxx | perl -pe 'y/a-z/n-za-m/'
Tayo'y Mga Pinoy
|
|
