News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Why chmod 777 is NOT a security risk

Started by [Unknown], November 20, 2003, 03:41:19 AM

Previous topic - Next topic

Government

nice text.
And i put all files as 777 permission.

But, i want install new package and allways got error that i can`t.

QuoteAn Error Has Occurred!
You cannot download or install new packages because the Packages directory or one of the files in it are not writable!

I can`t belive, i put all in 777 (chmod -R 777 public_html/forum/*) and nothing, same error.
Did i must something else change to can install packages?


Thank you for advice.

IchBin™

You should read through this thread and try some of the work arounds that have been posted.
http://www.simplemachines.org/community/index.php?topic=28393.0
IchBin™        TinyPortal

Government

yeah, sorry.
found it.

didnt make temp dir in Packages.

tnx. for answer.


I AM Legend

Hi all,
my forum was just recently hacked, and reading through all of this, I found a post in it about .htaccess file in the attachments, I have just found a .htaccess file in my attachments folder on my host in my public directory is this normal? should I delete it?,
my 1st post on this is located here
http://www.simplemachines.org/community/index.php?topic=269241.0
any help anyone has on this and on the 0777 issue would be great
Thanks all

rickyk586

If you change the owner of the directory to the same owner of the server, then the server (including PHP) can write to that folder without the need for it to be 777.  However, this will probably make the FTP not work anymore, since now, the only user that can edit the directory is the server.  Anyways, here is how to do that:

1)  make this php script (don't run yet):  mkdir("temp");
2)  place script into a folder (example: "scripts")
3)  change the permissions on this folder ("scripts") to 777 (this is just for now)
4)  run the script
5)  change the permissions on the folder ("scripts") back to what it was (755 maybe)
6)  the server now has the ability to write to the folder.

Since this restricted my FTP access, I did not do it this way.  I decided to make the folder ("temp") 777 and not worry about it since the files it is creating are 755.

As far as I know, even if the folder is 777, this only gives the public the ability to create new files in the folder, it has nothing to do with the files.  PLEASE correct me if I am wrong.

taha116

#86
Is there no way to protect a database completly? Even if it costs some money?
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

aldo

You could have a MySQL user only assigned permissions to only read from the database... So no... :P

I mean unless you want your MySQL database to act as a archive you just can't. The only way you can protect it is have a good password so people can't get into your server and have a good MySQL password so they can't get in either

taha116

Quote from: aldo on December 29, 2008, 02:01:59 AM
You could have a MySQL user only assigned permissions to only read from the database... So no... :P

I mean unless you want your MySQL database to act as a archive you just can't. The only way you can protect it is have a good password so people can't get into your server and have a good MySQL password so they can't get in either

So its just as easy to hack my 1.1.7 site as it would be to hack this SMF community site? I don't believe that, because if people report getting hacked then why dosent some whacko just hack this too? Their are obviously some differences that you have not considered?
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

Killer Possum

#89
Quote from: taha116 on December 30, 2008, 12:43:48 PM
So its just as easy to hack my 1.1.7 site as it would be to hack this SMF community site? I don't believe that, because if people report getting hacked then why dosent some whacko just hack this too? Their are obviously some differences that you have not considered?

The differences are in the configuration of the server as well. Just because site A gets their forum hacked doesn't mean site B can be hacked in the same way. Basically, just because your forum was hacked and destroyed doesn't necessarily mean that they got in through the forum software.

taha116

Quote from: Killer Possum on December 30, 2008, 05:31:28 PM
Quote from: taha116 on December 30, 2008, 12:43:48 PM
So its just as easy to hack my 1.1.7 site as it would be to hack this SMF community site? I don't believe that, because if people report getting hacked then why dosent some whacko just hack this too? Their are obviously some differences that you have not considered?

The differences are in the configuration of the server as well. Just because site A gets their forum hacked doesn't mean site B can be hacked in the same way. Basically, just because your forum was hacked and destroyed doesn't necessarily mean that they got in through the forum software.

Ahh so basicly if I were to install SMF 1.1.7 using all recomended settings and nothing else I should be as safe as this site itself?
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

IchBin™

No, because each server is configured differently.
IchBin™        TinyPortal

Killer Possum

#92
Quote from: taha116 on December 30, 2008, 07:43:20 PM
Ahh so basicly if I were to install SMF 1.1.7 using all recomended settings and nothing else I should be as safe as this site itself?

Like IchBin said, no because each server is configured differently. Not the server settings page in the forum software, but the server itself. And that's left up to your web host to secure, and hopefully you are with a reputable web host for that reason. ;)

taha116

Quote from: Killer Possum on December 31, 2008, 10:14:00 AM
Quote from: taha116 on December 30, 2008, 07:43:20 PM
Ahh so basicly if I were to install SMF 1.1.7 using all recomended settings and nothing else I should be as safe as this site itself?

Like IchBin said, no because each server is configured differently. Not the server settings page in the forum software, but the server itself. And that's left up to your web host to secure, and hopefully you are with a reputable web host for that reason. ;)

AH, so if i followed the recomended settings from SMF and happened to have a good host that kept my server secure.. i should, in most cases have nothing to worry about.

Just a suggestion as part of this reply its a quick one... joomla has this sort of server check thingy during instilation to see if all recomeded and required features are enabled, maybe SMF should try something like that out...
That would help people know if thy will be able to run SMF properly or not, and also if it would be on a secure server...
"The man who smiles when things go wrong has though of someone to blame things on"
I forgot the name
BUY electronic cigarettes with rechargeable batteries as well as flavored refills for cheap prices and only 1-2 dollars of shipping!
http://www.ngcigarettes.com/
~Taha116

Skhilled

Those checks do not necessarily mean that the server is secure. It only checks to see that the software in question will install properly so the software will be more secure...not the server itself.

GravuTrad

#95
for those who understand french and who don't believe that cause thieves exist we have to let our house's door open (without be present)...:

http://www.php-maximus.org/Maximus_CMS_post_t_7357.html
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

MacGig

I had things set to 777 once and got hacked, the host said that is why. so Im confused.

can someone list what files should be 777, 775, etc? AFTER the install or upgrade?

IchBin™

Getting hacked isn't caused by 777. Sounds like you're host doesn't know what they're talking about IMO. Getting hacked is usually through bad code that isn't secure, which allows a hacker to exploit the code to do things on the server. Simply having a file set to 777 isn't an exploit. If that was the case, there would be FAR more sites getting hacked out there...
IchBin™        TinyPortal

Skhilled


philesq

I would prefer to use 755 which is working, but would like to use package manager.  I could temporarily change the necessary files to 777, use package manager and then change the files back to 755.  Which files what I need to change to 777?

Advertisement: