matt6frey — 2014-02-04T06:44:12-05:00 — #1
Does anybody know how secure a text file containing information can be? I had read a blog post somewhere discussing security measures and it stated that having a strong perimeter protection (having the directories permissions set properly) was the best over-all defense against some one hacking into your site. That being said, if you set your files to read only or read/execute how secure are they in these conditions?
mikl — 2014-02-04T09:32:11-05:00 — #2
Making a text file read-only won't do anything to improve security. The whole point is that you want to stop people reading your text files (at least, I assume that's the point). You really need to prevent any kind of access to the file, not just read-only access.
One way to do that is to store the file outside the www directory of the site. The details will vary according to the platform, but in general, if you look at the server where your site is hosted, you will see a root directory containing sub-directories for things like log files and configuration files. One of these will be your www root, where your actual web pages are stored. Anyone visiting your site who knows the URL of any file within the www root (or its sub directories) will be able to access that file (I'm simplifying the explanation, but it should give the general idea). But that's not the case if the file is in one of the directories above the www root.
So, you could create a new directory above the www root (on the same level as the log files, etc), and use that to store your text file. You will still be able to access it from within your server-side code (for example, to read it from within a PHP program). But there will be no easy way for a visitor - or a client-side application - to get at it.
As I say, this is a simplified explanation. Come back if you need any clarification.
dklynn — 2014-02-04T21:25:09-05:00 — #3
Miki hit on the preferred (and only really good) solution. However, if you password protect the directory with your .txt file(s), you can prevent (at least on Linux systems) access by anyone without the correct username and password. This is normally effective, too.
Using chmod() to alter the file permissions, you've got to remember that it's Apache (a group user) which is requesting the files for visitors (and should normally be set to read only for group and public). As for execution permission, that's useless on a .txt file as it's not executable. Therefore, 640 would be a decent permission to use and it would allow you to write and read that file but Apache can only read.
All that said, keep files outside the webspace for greatest safety (Miki's recommendation).
matt6frey — 2014-02-06T20:01:17-05:00 — #4
Thanks guys, your explanations make quite a lot of sense. I am still pretty new to web security issues so this really helps elucidate my question. I guess another question I have is keeping information in a TXT file a bad idea and are there many security issues with this practice?
kiwiheretic — 2014-02-06T20:58:57-05:00 — #5
I don't think the issue is the file format. I think what you are driving at is whether you should install data on the web server unencrypted? At some point, in order to view it, you would have to unencrypt it, so I think its vest not to rely on file level security at all. Its really only matters if you have people with access to your shell account that you don't trust but these days I think there is very little reason to give anyone you don't trust shell access, so its kind of moot.