News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Why chmod 777 is NOT a security risk

Started by [Unknown], November 20, 2003, 03:41:19 AM

Previous topic - Next topic

sm2k

777 is easier from the website admin side.  It suddenly becomes trivial to perform neat tricks like automated package/mod installations, style sheet editing from the admin panel, file uploads, etc.

I agree though, file permissions are the basis of any security system, and should be as tight as possible.  There are methods for providing the same services that we already enjoy without leaving directories wide open.  Yes, it is most certainly possible that a hacker could still manipulate the system, and yes it is possible that he/she could then reset file permissions depending on the vulerability and system config.  That doesn't make file permissions any less important.

Really, why have any security in the file system at all?  Just leave it wide open and trust each and every software developer...right?  Besides, if a hacker can get root permissions then he can do whatever he wants anyhow...right?  ;)

alchemy

#61
Quote from: Anguz on February 15, 2006, 06:37:28 PM
alchemy, I'm sure several are curious about how you have it. Could you tell us what permissions you used for what files? For those that don't want it to be all 777.

My installation differs from most, because I move Settings*, Sources/  and the temp directories, for SMF, to a path not readable by apache.  (this requires a bit of editing, too much to explain)

I prefer security over simplicity. If you do permissions similar to this, you will probably have to upgrade your forum manually. Note: The respective UID's and GID's of SMF, apache, and SMF Group may differ on your server.

For the most part, this gives the "least possible permissions", and it works with PHP "Safe Mode", PHP hardening, chrooted apache, and other restrictions too numerous to list.


#SMF CUSTOM INSTALLATION
chown -R smf.web /chroot/forums/
chown -R smf.web /chroot/scripts/forums/
find /chroot/forums/ -type f | xargs chmod 644
find /chroot/forums/ -type d | xargs chmod 755
find /chroot/scripts/forums/ -type f | xargs chmod 644
find /chroot/scripts/forums/ -type d | xargs chmod 755

chown smf.apache /chroot/forums/attachments/
chmod 775 /chroot/forums/attachments/
chown apache.apache /chroot/forums/attachments/*
chown smf.web /chroot/forums/attachments/index.php
#chown root.root /chroot/forums/SSI.php <- disabled for now

chown apache.web /chroot/scripts/forums/tmp_{ssp,upload}/
chown apache.apache /chroot/scripts/forums/tmp_ssp/*
chmod 600 /chroot/scripts/forums/tmp_ssp/*
chown smf.apache /chroot/scripts/forums/Settings*
chmod 660 /chroot/scripts/forums/Settings*


httpd.conf

<Directory "/chroot/scripts">
    Options None
    AllowOverride None
    Order Allow,Deny
    Deny from all
</Directory>

<Directory "/chroot/forums">
        blablabla...other directives
        php_admin_value include_path  ".:/chroot/scripts/forums"
        php_admin_value session.save_path "/chroot/scripts/forums/tmp_ssp"
        php_admin_value upload_tmp_dir "/chroot/scripts/forums/tmp_upload"
</Directory>



Prasad007

hey wow! Thanks for the gr8 article unknown :)

sawz

that was a long thread, and interesting...
keep smiling, they'll always wonder what your up too.....

StupidScript

World-writeable directories are ALWAYS a BAD idea.

Do I really need to say anymore? I know that many posters have asked for proof that these are dangerous, however to do so would be to provide ammunition to script-kiddies who are seeking easy-to-exploit flaws in the programming.

This thread seems to be focused on CHANGES on the directory owners, but that's not the point of security.

I remember, a few years ago, when our corporate intranet servers were compromised by a warez/script distributor. They set up directories on our servers that contained games, porn movies, copyright-infringing applications and more. And you know, they didn't even have root! They didn't care.

Why? Because they could WRITE to the directories.

For example: I really don't care if you want me to be able to EXECUTE scripts .. all I want is to be able to tell my customers, "Go to http://SOM.IPA.DDR.ESS/warez and download GTA for free!"

World-writeable = bad. Talk about the odds as much as you want. With armies of zombie networks available to perform stuff that you have no idea could even happen ... your server is at EXTREME risk when ANY directory is world-writeable. Let's talk about escalation of privileges ...

Go ahead ... DEMAND proof ... I really don't care. I've got your/my server. Bye. (Oh, by the way, you can't send email from that server because it has been blacklisted ... haha.)

Now let's hear some justification that explains THAT to your multi-millionaire boss. Or maybe you don't have a multi-millionaire boss .. and you probably never will. Fair warning.

Harzem

Since you are unable to protect your servers, it is expected you not to love 777. This is why 777 isn't a security risk.

forumposters

Is there an easy one step way within cpanel to chmod all the directories and files from 777 to 755 and 644?  Or, do you need shell access?

ccondrup

I am renting a normal account on a shared server. I have all files chmod 644 and folders 755 for my SMF-forum. This works fine - uploads, packages, attachements, avatars etc. How? My host is running suPHP. That means Apache runs as my own (linux/ftp) user, via the suPHP module. When you upload a file through php, the file will be owned by your ftp user, instead of httpd, www or nobody. On this host with suPHP, php-scripts will not even run if chmod 777.

phpsuexec was mentioned in this thread, I think cPanel supports and maintains this version for their commercial cPanel customers, but the project it self has stagnated some time ago.

suPHP on the other hand, seems to be an ongoing active project. Here is a guide on how to get the magic working

TANDIONO.COM


Atticka

Ok, my first post here and its gonna be in this hot topic, lol.

Unkown or anyone, would it be possible to get the following info?
What folders require 777 for SMF operate properly (Attachments? source?)
What folders can stay 755 with losing features (smiley folder doesnt need 777 does it?)

What should be the default permissions on files?

Regardless of host, server setup, etc....its always a good idea to set appropriate permissions on folders and files.

Harzem

Quote from: Atticka on September 03, 2006, 04:02:54 PM
Ok, my first post here and its gonna be in this hot topic, lol.

Unkown or anyone, would it be possible to get the following info?
What folders require 777 for SMF operate properly (Attachments? source?)
What folders can stay 755 with losing features (smiley folder doesnt need 777 does it?)

What should be the default permissions on files?

Regardless of host, server setup, etc....its always a good idea to set appropriate permissions on folders and files.

I always use 755 for directories and 644 for files. This also depends on the server, for example suEXEC setting of apache. But you can still try this and have a look :)

Atticka

Quote from: HarzeM on September 03, 2006, 04:07:06 PM
I always use 755 for directories and 644 for files. This also depends on the server, for example suEXEC setting of apache. But you can still try this and have a look :)

Ok, this doesnt help....becuase if I go 755 on the attachment folder....I cant upload attachments anymore.

755 on the packages folder breaks the upgrade feature.

God knows what will break if I set 644 on all files!

Just looking for some guidance or what to expect when you start changing permissions without knowing the consequences.

Harzem

Ok, then:

777 for attachments (not avatars).
755 for Packages and other folders. Only when you need to install a mod or upgrade, make packages, sources and themes folders 777 temporarily.
Settings.php should be manually set to 777 when editing server settings. Other times, keep it 644.
Other files should be 644 unless you are installing a mod or upgrade.

hygron

this thread blows me away.  I have been struggling to understand the whole permissions query, but why as well...[unknown] great job of explaining and defense...got thru about 3-4 pages.  It just clicked...probably will come back for a few more pages, but right now I am going to chmod777 a few files that haven't been changed.  this mioght solve a install.php problem I have been having all day...no tables in Database.  thanks for the great info and explanation's

come join me at: http://www.Hygronomics.com/forum1
My newest site: http://myvirtualworld.org Virtual Domain Hosting

TwinsX2Dad

It really is pretty simple gang - and unknown has it right from the start. Plainly put, the 777 gives global permissions to applications on the system and not to the world. The practice of using chmod on files dates back over 40 years with the original Bell System UNIX servers - without permissions, every bit of software on the server might be able to change every file on the server.

If someone can get into your files, they are already in your system, your server, your folder, your whatever. Once they are there, a simple chmod setting isn't going to stop them - if it were a deterent, they could simply change the permissions.

In most cases, you could apply a chmod of 777 across the board and your files will be no less safe.

geer

HI all

sorry me my english is bad , but my Question is how i change CHMOM so that all  files was good.



Thanks very much

IchBin™

IchBin™        TinyPortal

geer

Quote from: IchBin™ on November 29, 2006, 02:07:07 PM
How do I use chmod?

How I settining all files on  server so that was all good , because me not work  installing news Packages

e.g.  Packages on 777
       soucres on 755
       etc.


thanks yet once


jackregan

Sorry to reactivate an old thread, but there are so many questions in my little head...

Am I right in thinking that the main threat from hackers comes from other customers on the same server, being able to sidestep into your account because it's not jailed??

I sort of understand this because it was like this at my University. We could just ftp our accounts and then go up a level to see everyone elses... a little naughty :)

If I am right, then how can I tell if accounts are jailed on my host??
Bible Study, Catholic News, Youth Group Stuff (my humble attempt at an SMF site... I'm grateful to the amazing people who have made SMF what it is!!

RustyBarnacle

Well this explains a lot, thanks again to all that posted such great info in here.  Just a little bump for those like me that have spent most of last night and this morning wondering why the world came crashing down, and then it appears that a mod changed some permissions.

I dont know if they can do that or not but I installed some mods, and then several things started screwing up, after much todo I saw that my permissions were all out of whack.

Advertisement: