next »

[sysbuilder]

On a lot of my sites (especially wordpress sites), I chmod my public_html folder to 777 to make it easier to auto-update plugins, edit the theme from within Wordpress, etc.

Is that a safe practice? I am the only one on a dedicated server. I am not very savvy in regards to security, so I'd greatly appreciate any input from those more experienced.

I've Google'd the question multiple times, but there doesn't seem to be a strong consensus either way.

[nutballs]

my understanding is that in itself, its not dangerous. meaning, that if you do not provide a way for users to upload and execute files through your webpages, then its not a big deal. Assuming the only service available is apache, which is never the case.

the other security should keep them out. if you have no FTP for example. there are always vectors however, on any system. The biggest issue is that if they gain access to the filesystem, even as a lowly user with almost no privs, and they know the path to the 777 dirs, they can pooch you hard.

But the directory that is 777, in itself, does not create a bigger hole for an attacker to gain access. the access is gained via another avenue such as FTP, ssh, exploit, bad upload forms, etc. Don't allow anonymous FTP for example, and don't allow untrusted users to upload through a web page. Those two are your biggest threats in most web servers.

of course, there is probably some giant obvious thing I am forgetting, so perk or V will chime in and tell you im an idiot.

[vsloathe]

No, you're not an idiot.

NBs is right, but I would caution you that your approach in general to security (shared by probably 90+% of webmasters out there, might I add) is not a very good one. You need to make sure that your code is tighter than tight if you've 777ed your html directory. If you're using third party software like wordpress, which has already been shown numerous times to be released full of holes (the pervasive SQL injection exploit that is still a big problem, for example), you ought to try to lock down your filesystem a bit harder.

[sysbuilder]

@nutballs: Thanks for the heads up about anonymous FTP, just checked my server and fixed that hole.

@vsloathe: So if I do keep my public_html directories 777ed, could you suggest some ways that I could use to lock down the filesystem a bit more?

Thanks for the replies so far, really appreciate the tips.

[vsloathe]

No, I'd actually recommend not 777ing them if you're using third party software. The "how" in these things would involve me knowing a lot more specifics about your setup and what you're trying to do. That's why security consultants exist - every scenario is slightly different and I can't give you any general guidelines except to say that 777ing anything public facing tends to be a bad idea, unless you have control over every aspect of the code (read: you wrote it yourself) and you understand a thing or two about application-layer security in whatever language you code in.

[nutballs]

also keep in mind how important it is to you. I have a machine which I could care less if someone took it down. I would just reimage and redeploy. no biggy. so i only tested the security for a few minutes or so.

[sysbuilder]

Ok - I'll take your advice and not CHMOD my public folders to 777 anymore.

One last newbie question - looks like the default on my server for public-facing folders is either 755 or 750. What do you think is the best CHMOD configuration for public-facing folders?

[vsloathe]

If it's public facing I'd go with the most restrictive that still allows it to be functional. 750 is good.

[perkiset]

Some FTP daemons will give you hell if directories they need to get into are not at least at a 5 (r-x) so you might still consider 755. Even at 4 (r--) they will often fail.