Archived Boards and Threads... > Parham's PHP Tutorials
Why chmod 777 is NOT a security risk
permutations:
--- Quote from: [Unknown] on November 20, 2003, 03:41:19 AM ---Any other questions? (so far I made all these up, sorry if they aren't realistic :P.) Feel free to ask and I'll answer away. I challenge you to prove me wrong.... show me that somehow 777 is all that bad.
--- End quote ---
I'm not a hacker so I can't argue the technicalities of how 777 would give a hacker access. I can tell you, though, that a hacker DID get access to my site when my directories were 777. When my Web host installed suexec so all the permissions could be changed to 775, that shut out the hacker.
keepr:
This is absolutely ridiculous, There is no good reason for anyone to be setting the whole directory for an application that has read/write access to MySQL to 777. If you need to set a specific file to 777 in order to make settings changes that is fine but allowing every single file in SMF to be RWX x Everyone is just plain asking for trouble...
First off SMF is not bug free and neither is any popular forum software, by setting the whole directory to 777 you are opening up every possible avenue for a software exploitation.
If you cannot make your mods / application work with proper security restrictions then you need to take another look at your code. This post is reckless and potentially damaging to people who do not understand what it means to have their website exploited.
This is like saying My Ferrari has really good door locks so it's ok to leave it in a shopping mall garage overnight without the aid of an alarm.. Oh yeah and let me leave the keys and address's to all my other expensive cars in the glove box while I am at it!
Come on get with the program and help people fix this issue instead of stepping around it..
OOOh I came up with a better analogy, Say you buy a car alarm and then you go buy this really cool Add on that pages you when your alarm goes off..
Well you install it and it's not working so you call the vendor and they say Oh yeah well that model doesn't transmit so well through glass or metal so what you need to do is roll down all your windows and open all the doors when you want to use it! It's OK everything should be fine give it a shot!
2 days later:
You car has been vandalized or is completely missing...
penmin:
- I believe you, but my host doesn't. They don't want me to make everything 777, they say it's not safe.
So have them read this. If they can't refute it, prove it wrong, or at least even challenge it then I guess they have to let you do 777 Grin.
I think my host just told you that its not possible w/o a major security risk. So I wont be using TP until someone can fix this.
And btw, it kinda makes me feel abit unsecure that the SMF lead devl. is telling everyone to go unsecure all their ****** (no offense Bloc, Im sure your reading this and TP is quite lovely) but I have to agree (finally) that my host is right, and w/o a secure way to do this, its just something that makes you sit in the waiting room to get hacked.
PS. Unknown, my host could talk and talk for hours about this and argue with you, but we all know he is right. Fix your stuff. :(
kegobeer:
If I set my directory to 777, and you navigate to my site, exactly what could you do to gain access to my files? To my understanding, a file has to be uploaded to the site and then be executed to take advantage of 777. If a user can't upload any sort of attachments, what damage can be done?
Thunderace:
--- Quote from: penmin on August 20, 2005, 04:17:15 PM --- PS. Unknown, my host could talk and talk for hours about this and argue with you, but we all know he is right. Fix your stuff. :(
--- End quote ---
Very rude imo, [unknown] is well admired for his skills as well as the time he puts into this project. I don't believe your host read his original comment at all and if he did he must have misunderstood its meaning.
I for one find your comments unvalid and rude.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version