Advertisement:

Author Topic: Why chmod 777 is NOT a security risk  (Read 387310 times)

Offline Government

  • Newbie
  • *
  • Posts: 9
Ynt: Why chmod 777 is NOT a security risk
« Reply #80 on: December 01, 2007, 11:14:05 AM »
nice text.
And i put all files as 777 permission.

But, i want install new package and allways got error that i can`t.

Quote
An Error Has Occurred!
You cannot download or install new packages because the Packages directory or one of the files in it are not writable!

I can`t belive, i put all in 777 (chmod -R 777 public_html/forum/*) and nothing, same error.
Did i must something else change to can install packages?


Thank you for advice.

Offline IchBin™

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,115
  • Gender: Male
  • I don't speak German.
Re: Why chmod 777 is NOT a security risk
« Reply #81 on: December 01, 2007, 12:29:23 PM »
You should read through this thread and try some of the work arounds that have been posted.
http://www.simplemachines.org/community/index.php?topic=28393.0
IchBin™        TinyPortal
Coding Guidelines       

Offline Government

  • Newbie
  • *
  • Posts: 9
Re: Why chmod 777 is NOT a security risk
« Reply #82 on: December 01, 2007, 12:42:34 PM »
yeah, sorry.
found it.

didnt make temp dir in Packages.

tnx. for answer.

Offline rtyug

  • Jr. Member
  • **
  • Posts: 127
Re: Why chmod 777 is NOT a security risk
« Reply #83 on: September 28, 2008, 07:03:29 AM »
666 is ok :)

catalogues 750

Offline I AM Legend

  • Jr. Member
  • **
  • Posts: 182
  • Gender: Male
    • Express Forums
Re: Why chmod 777 is NOT a security risk
« Reply #84 on: October 22, 2008, 05:00:56 PM »
Hi all,
my forum was just recently hacked, and reading through all of this, I found a post in it about .htaccess file in the attachments, I have just found a .htaccess file in my attachments folder on my host in my public directory is this normal? should I delete it?,
my 1st post on this is located here
http://www.simplemachines.org/community/index.php?topic=269241.0
any help anyone has on this and on the 0777 issue would be great
Thanks all

rickyk586

  • Guest
Re: Why chmod 777 is NOT a security risk
« Reply #85 on: December 11, 2008, 03:29:32 AM »
If you change the owner of the directory to the same owner of the server, then the server (including PHP) can write to that folder without the need for it to be 777.  However, this will probably make the FTP not work anymore, since now, the only user that can edit the directory is the server.  Anyways, here is how to do that:

1)  make this php script (don't run yet):  mkdir("temp");
2)  place script into a folder (example: "scripts")
3)  change the permissions on this folder ("scripts") to 777 (this is just for now)
4)  run the script
5)  change the permissions on the folder ("scripts") back to what it was (755 maybe)
6)  the server now has the ability to write to the folder.

Since this restricted my FTP access, I did not do it this way.  I decided to make the folder ("temp") 777 and not worry about it since the files it is creating are 755.

As far as I know, even if the folder is 777, this only gives the public the ability to create new files in the folder, it has nothing to do with the files.  PLEASE correct me if I am wrong.

Offline taha116

  • Jr. Member
  • **
  • Posts: 270
Re: Why chmod 777 is NOT a security risk
« Reply #86 on: December 28, 2008, 11:56:40 PM »
Is there no way to protect a database completly? Even if it costs some money?
« Last Edit: December 30, 2008, 12:44:29 PM by taha116 »
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

Offline aldo

  • Sophist Member
  • *****
  • Posts: 1,356
  • Gender: Male
Re: Why chmod 777 is NOT a security risk
« Reply #87 on: December 29, 2008, 02:01:59 AM »
You could have a MySQL user only assigned permissions to only read from the database... So no... :P

I mean unless you want your MySQL database to act as a archive you just can't. The only way you can protect it is have a good password so people can't get into your server and have a good MySQL password so they can't get in either

Offline taha116

  • Jr. Member
  • **
  • Posts: 270
Re: Why chmod 777 is NOT a security risk
« Reply #88 on: December 30, 2008, 12:43:48 PM »
You could have a MySQL user only assigned permissions to only read from the database... So no... :P

I mean unless you want your MySQL database to act as a archive you just can't. The only way you can protect it is have a good password so people can't get into your server and have a good MySQL password so they can't get in either

So its just as easy to hack my 1.1.7 site as it would be to hack this SMF community site? I don't believe that, because if people report getting hacked then why dosent some whacko just hack this too? Their are obviously some differences that you have not considered?
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

Offline Killer Possum

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,083
  • Professional Llama Charmer
    • SSPMark on GitHub
    • Some Secret Place
Re: Why chmod 777 is NOT a security risk
« Reply #89 on: December 30, 2008, 05:31:28 PM »
So its just as easy to hack my 1.1.7 site as it would be to hack this SMF community site? I don't believe that, because if people report getting hacked then why dosent some whacko just hack this too? Their are obviously some differences that you have not considered?

The differences are in the configuration of the server as well. Just because site A gets their forum hacked doesn't mean site B can be hacked in the same way. Basically, just because your forum was hacked and destroyed doesn't necessarily mean that they got in through the forum software.
« Last Edit: December 30, 2008, 05:33:19 PM by Killer Possum »

Offline taha116

  • Jr. Member
  • **
  • Posts: 270
Re: Why chmod 777 is NOT a security risk
« Reply #90 on: December 30, 2008, 07:43:20 PM »
So its just as easy to hack my 1.1.7 site as it would be to hack this SMF community site? I don't believe that, because if people report getting hacked then why dosent some whacko just hack this too? Their are obviously some differences that you have not considered?

The differences are in the configuration of the server as well. Just because site A gets their forum hacked doesn't mean site B can be hacked in the same way. Basically, just because your forum was hacked and destroyed doesn't necessarily mean that they got in through the forum software.

Ahh so basicly if I were to install SMF 1.1.7 using all recomended settings and nothing else I should be as safe as this site itself?
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

Offline IchBin™

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,115
  • Gender: Male
  • I don't speak German.
Re: Why chmod 777 is NOT a security risk
« Reply #91 on: December 31, 2008, 12:15:50 AM »
No, because each server is configured differently.
IchBin™        TinyPortal
Coding Guidelines       

Offline Killer Possum

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,083
  • Professional Llama Charmer
    • SSPMark on GitHub
    • Some Secret Place
Re: Why chmod 777 is NOT a security risk
« Reply #92 on: December 31, 2008, 10:14:00 AM »
Ahh so basicly if I were to install SMF 1.1.7 using all recomended settings and nothing else I should be as safe as this site itself?

Like IchBin said, no because each server is configured differently. Not the server settings page in the forum software, but the server itself. And that's left up to your web host to secure, and hopefully you are with a reputable web host for that reason. ;)
« Last Edit: December 31, 2008, 10:30:56 AM by Killer Possum »

Offline taha116

  • Jr. Member
  • **
  • Posts: 270
Re: Why chmod 777 is NOT a security risk
« Reply #93 on: January 03, 2009, 11:03:22 AM »
Ahh so basicly if I were to install SMF 1.1.7 using all recomended settings and nothing else I should be as safe as this site itself?

Like IchBin said, no because each server is configured differently. Not the server settings page in the forum software, but the server itself. And that's left up to your web host to secure, and hopefully you are with a reputable web host for that reason. ;)

AH, so if i followed the recomended settings from SMF and happened to have a good host that kept my server secure.. i should, in most cases have nothing to worry about.

Just a suggestion as part of this reply its a quick one... joomla has this sort of server check thingy during instilation to see if all recomeded and required features are enabled, maybe SMF should try something like that out...
That would help people know if thy will be able to run SMF properly or not, and also if it would be on a secure server...
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

Offline Skhilled

  • Full Member
  • ***
  • Posts: 488
  • Gender: Male
  • When you stop learning, you stop living!
    • Docskillz
Re: Why chmod 777 is NOT a security risk
« Reply #94 on: January 11, 2009, 03:17:18 AM »
Those checks do not necessarily mean that the server is secure. It only checks to see that the software in question will install properly so the software will be more secure...not the server itself.

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,633
  • Gender: Male
  • One of the french SMF translators
Re: Why chmod 777 is NOT a security risk
« Reply #95 on: February 06, 2009, 01:53:33 PM »
for those who understand french and who don't believe that cause thieves exist we have to let our house's door open (without be present)...:

http://www.php-maximus.org/Maximus_CMS_post_t_7357.html
« Last Edit: February 06, 2009, 01:55:45 PM by GravuTrad »
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Offline MacGig

  • Full Member
  • ***
  • Posts: 450
Re: Why chmod 777 is NOT a security risk
« Reply #96 on: February 07, 2009, 07:31:52 AM »
I had things set to 777 once and got hacked, the host said that is why. so Im confused.

can someone list what files should be 777, 775, etc? AFTER the install or upgrade?

Offline IchBin™

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,115
  • Gender: Male
  • I don't speak German.
Re: Why chmod 777 is NOT a security risk
« Reply #97 on: February 08, 2009, 12:29:55 AM »
Getting hacked isn't caused by 777. Sounds like you're host doesn't know what they're talking about IMO. Getting hacked is usually through bad code that isn't secure, which allows a hacker to exploit the code to do things on the server. Simply having a file set to 777 isn't an exploit. If that was the case, there would be FAR more sites getting hacked out there...
IchBin™        TinyPortal
Coding Guidelines       

Offline Skhilled

  • Full Member
  • ***
  • Posts: 488
  • Gender: Male
  • When you stop learning, you stop living!
    • Docskillz
Re: Why chmod 777 is NOT a security risk
« Reply #98 on: February 08, 2009, 04:24:22 PM »
Very true. :)

Offline philesq

  • Semi-Newbie
  • *
  • Posts: 23
Re: Using chmod 755 and package manager
« Reply #99 on: August 17, 2009, 12:11:09 AM »
I would prefer to use 755 which is working, but would like to use package manager.  I could temporarily change the necessary files to 777, use package manager and then change the files back to 755.  Which files what I need to change to 777?