Howto::WebWritableDir

From CS Wiki
Jump to: navigation, search

Make a directory writable by webscripts for interactive websites

Introduction

The trend in websites are to be more interactive and dynamic versus static pages. Users increasingly want to run dynamic websites such as blog and CMS based systems. These systems usually require a directory or multiple directories to be writable by the webscripts. By default, web directories are not writable by webscripts. A directory writable by webscripts left unsecured can be easily taken advantage of by hackers to run any code they want. This document will explain how to set up and secure a directory to be writable by webscripts.

Set up directory

Making a directory writable by all users is the wrong way to do this! Here is the proper way:

  • Create the directory if it does not already exist.
  • Make sure the group ownership of the directory is set to 'web'. If not, then contact the techstaff and they can change the group ownership.
  • Run the following command on the directory: chmod 2775 "path to directory"

Secure the directory

This step is very important to prevent your website from getting hacked!

  • Create a .htaccess file in the writable directory with the following text:

AddHandler cgi-script .php .pl .jsp .asp .sh .cgi

Options -ExecCGI

  • This will prevent scripts inside this directory from running.
  • Set permissions on the .htaccess file with the following command: chmod 755 "path to .htaccess file"
  • This will prevent webscripts from being able to modify the .htaccess file