Archived Boards and Threads... > Parham's PHP Tutorials

Why chmod 777 is NOT a security risk

<< < (2/21) > >>

Aquilo:
I'm wishing I had taking Jason's offer instead of going with the host I'm at now, I don't know what SUExec David is referring to but the one run on my host is plain STUPID!!!!

from my host...

--- Quote ---Beyond webroot protection, which is very necessary for security reasons, we run a standard Apache Suexec setup.
--- End quote ---

why under a Suexec setup even a text file has to have 777 for a script to read & write to it? why can't 666 be good enough! right?

here is an example of the seemingly highly regarded SUExec being stupid...

--- Quote ---an example,
I wan't a script located at
/public_html/index.php
to read and write to
/public_html/MySkins/
same user in the same account,

now MySkins contain php script so setting it to 666
should let the world read and write to it but not execute script in there this is so no one can edit the file with bad code and then execute it! this would be -rw-rw-rw- but something is making it so nothing can read the dir unless it has execute permissions.

the thing I don't understand is why I have to give execute permissions just to read!?
--- End quote ---
answer "maybe try chmod 1666?"


--- Quote ---still overridden.

FTP log:
SITE CHMOD 1666 MySkins
200 SITE CHMOD command successful
NOOP
200 NOOP command successful
CWD /public_html/MySkins
550 /public_html/MySkins: Permission denied

if I use 1666 or 2666 or 4666 it's still Forbidden.
--- End quote ---
answer "I just changed some of the permissions on the directories..."


--- Quote ---under 666
/public_html/MySkins <- Access

/public_html/MySkins/theme <- Access

/public_html/MySkins/theme/css <- Permission denied

and php can now execute under 666
--- End quote ---

Now I don't know if this is SUExec being stupid or the admin don't know how to run it but I don't see how any of this helps protect anything! if any thing it's undermining the hole CHMOD concept of how and who to give permissions to!

or am I wrong for thinking SUExec and this kind of setup is stupid?

David:
If I were running a shared server I would use a chrooted environment for ftp, I would not give ssh access except on a case by case basis.  ssh would also be chrooted.  What chroot, also known as jailing, a user does is keep them in their home directory.  Instead of logging them in to their home directory but also allowing them to browse to the parent of their home directory, they won't even be able to know that there is a parent directory.  There are scripts to break out of these jailed environments but like anything, as there is a new vulnerability the software is patched.

I would then run Apache AND PHP with SUExec.  Many people believe that you can just compile Apache to use SUExec and you are set but you must ALSO compile SUExec support into PHP.  With SUExec your Apache processes will run as if they were your user.  Thus when serving one of aquilo's pages, Apache will act as if it were aquilo.  This allows a server admin to really lock down the file permissions.  No longer does the world permissions have to be 1 or 5 on parent directories since apache can now gain access itself.

Aquilo, the execute permission is used in two ways.  Either for a cgi or shell script or if on a directory it allows the user/group/world to cd into it.  You should never have to give execute permissions on a php script.  Also your host telling you to try 1666 makes no sense as the first 1 marks the file as a changed since the last backup, it is setting an "Archive Bit" and thus has absolutly nothing to do with solving your problem.

http://www.mkssoftware.com/docs/man1/chmod.1.asp

Aquilo:
I guess the solution to the problem is to just use .htaccess and AddType text/plain .php if I don't want php run in a directory! I thought chmod would stop php from executing if it didn't have permission.

so that problem is solved, now why it has to have execute permission for anything to run!? :D

Thanks David!!

Anguz:
I'm wondering about permissions right now, so I'm happy I found this thread...

one of my webhosts does jail accounts and I have a limit to the permissions I can set even, which is my problem

directories can't be higher than 755 and files 644

will it be possible to have SMF run correctly with those limitations? how?

Spaceman-Spiff:
yes, you can have SMF running properly, but you cant use some features like:
- attachment
- package manager
- Settings.php editor (Forum Preferences and Settings)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version