The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 01:19:50 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Safety of chmod'ing public_html to 777  (Read 3952 times)
sysbuilder
Rookie
**
Offline Offline

Posts: 17


View Profile
« on: January 01, 2009, 08:42:59 PM »

On a lot of my sites (especially wordpress sites), I chmod my public_html folder to 777 to make it easier to auto-update plugins, edit the theme from within Wordpress, etc.

Is that a safe practice? I am the only one on a dedicated server. I am not very savvy in regards to security, so I'd greatly appreciate any input from those more experienced. Smiley

I've Google'd the question multiple times, but there doesn't seem to be a strong consensus either way.
Logged

No links in signatures please
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #1 on: January 01, 2009, 09:20:17 PM »

my understanding is that in itself, its not dangerous. meaning, that if you do not provide a way for users to upload and execute files through your webpages, then its not a big deal. Assuming the only service available is apache, which is never the case.

the other security should keep them out. if you have no FTP for example. there are always vectors however, on any system. The biggest issue is that if they gain access to the filesystem, even as a lowly user with almost no privs, and they know the path to the 777 dirs, they can pooch you hard.

But the directory that is 777, in itself, does not create a bigger hole for an attacker to gain access. the access is gained via another avenue such as FTP, ssh, exploit, bad upload forms, etc. Don't allow anonymous FTP for example, and don't allow untrusted users to upload through a web page. Those two are your biggest threats in most web servers.

of course, there is probably some giant obvious thing I am forgetting, so perk or V will chime in and tell you im an idiot.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #2 on: January 02, 2009, 06:43:27 AM »

No, you're not an idiot.

NBs is right, but I would caution you that your approach in general to security (shared by probably 90+% of webmasters out there, might I add) is not a very good one. You need to make sure that your code is tighter than tight if you've 777ed your html directory. If you're using third party software like wordpress, which has already been shown numerous times to be released full of holes (the pervasive SQL injection exploit that is still a big problem, for example), you ought to try to lock down your filesystem a bit harder.
Logged

hai
sysbuilder
Rookie
**
Offline Offline

Posts: 17


View Profile
« Reply #3 on: January 02, 2009, 09:51:33 AM »

@nutballs: Thanks for the heads up about anonymous FTP, just checked my server and fixed that hole.

@vsloathe: So if I do keep my public_html directories 777ed, could you suggest some ways that I could use to lock down the filesystem a bit more?

Thanks for the replies so far, really appreciate the tips.
Logged

No links in signatures please
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #4 on: January 02, 2009, 11:11:00 AM »

No, I'd actually recommend not 777ing them if you're using third party software. The "how" in these things would involve me knowing a lot more specifics about your setup and what you're trying to do. That's why security consultants exist - every scenario is slightly different and I can't give you any general guidelines except to say that 777ing anything public facing tends to be a bad idea, unless you have control over every aspect of the code (read: you wrote it yourself) and you understand a thing or two about application-layer security in whatever language you code in.
Logged

hai
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #5 on: January 02, 2009, 01:51:20 PM »

also keep in mind how important it is to you. I have a machine which I could care less if someone took it down. I would just reimage and redeploy. no biggy. so i only tested the security for a few minutes or so.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
sysbuilder
Rookie
**
Offline Offline

Posts: 17


View Profile
« Reply #6 on: January 02, 2009, 05:47:06 PM »

Ok - I'll take your advice and not CHMOD my public folders to 777 anymore.

One last newbie question - looks like the default on my server for public-facing folders is either 755 or 750. What do you think is the best CHMOD configuration for public-facing folders?
Logged

No links in signatures please
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #7 on: January 02, 2009, 09:10:52 PM »

If it's public facing I'd go with the most restrictive that still allows it to be functional. 750 is good.
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #8 on: January 03, 2009, 12:14:53 AM »

Some FTP daemons will give you hell if directories they need to get into are not at least at a 5 (r-x) so you might still consider 755. Even at 4 (r--) they will often fail.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!