Chmod 777 Risks
February 14, 2008 10:26 PM   Subscribe

Ahh young grasshoppa, you are not the first to ask.

http://www.google.com/search?q=risk+of+777+on+web+servers&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

You're allowing any process or user on the system to do whatever they want to those files.

Local users, other processes, the web servers, cgi scripts, everything.
posted by iamabot at 10:38 PM on February 14

Why do you want 777? If it's just images, what's wrong with using 644? Let the web user write, everyone else read only. The chances may be slim that someone will try to exploit it, but why take any unnecessary risk?
posted by team lowkey at 11:28 PM on February 14

You're trusting the uploader not to lie about the mime type ...
posted by 5MeoCMP at 2:23 AM on February 15

If your hands are tied and you have to use 777: keep good backups. As long as you aren't storing private information, such as email addresses or credit cards in that directory, you can always restore if you are exploited.

(Its the executable bit that makes people nervous, if someone could upload a shell script -- that's one thing. But if it's possible for them to execute it, then really bad things can happen!)
posted by bprater at 4:00 AM on February 15

Mode 777 (and the bit you're probably most concerned about is is the "world writable" part of that) is all about who can get on to the server and affect the contents of that directory. This would indicate concern over the possibility of compromise of an otherwise unrelated system or user account rather than the webserver or social engineering of a password from a known uploader. Determining the likelihood of these scenarios depends on the platform, webserver, systems admin processes and so on.

Look at it another way. If you keep good backups, and if there's either nothing on the site that's "important" (by your definition) then mode 777 is neither here nor there. It just comes down to how much time you might be willing to put in to put it all back together if it gets damaged, whether intentionally or by a poorly-written maintenance script that runs on the server.

Setting a more restrictive mode protects you from other users (processes running as other users) on the system. If there's a compromise of the webserver, the mode likely doesn't matter. How bad is it if someone replaces one of those images with a pair of huge, floppy tits? (yes, I'm talking about overgrown, pendulous blue birds here)
posted by 5MeoCMP at 4:55 AM on February 15

The question is about a directory. Together, "r" and "x" specify who may list files in the directory, and who may open a file knowing its name in the directory.

There are some subtleties however. In order to access a file, it is necessary to utter that object's name. Names are always relative to some directory, for example: ~fbs/text/cs513/www/L07.html. Directories are just files themselves, but in the case of directories:

* The "r" (read) bit controls the ability to read the list of files in a directory. If "r" is set, you can use "ls" to look at the directory.

* The "x" (search) bit controls the ability to use that directory to construct a valid pathname. If the "x" bit is set, you can look at a file contained in the directory.

Thus, for example, the 'x' bit allows a user to make the directory under consideration the current working directory and it needs to be on to read files in the current working directory. So a file can be made inaccessible by turning off the 'x' bit for the directory in which the file resides.

Does 'x' without 'r' access make sense? Yes! This is a directory whose files' names cannot be learned, but whose files are accessible if you happen to know their names. This is actually useful.

Does 'r' without 'x' access make sense? This is a directory whose files' names can be learned, but whose files cannot be accessed. It is not very useful.
http://www.cs.cornell.edu/courses/cs513/2005fa/L07.html

By giving permission bits to the group (middle character of 777) you allow anyone in the named group to perform operations in the directory. By giving permission bits to "other" (last character of 777) you allow anyone to perform operations on the directory. But "group" and "other" refer to Unix-level accounts on the same system; If the directory is owned by the unix account that executes the CMS code, then this doesn't change anything about how users of the CMS can access files.

In the case of shared hosting, giving "other" permissions is a substantial risk, but in the case of dedicated hosting, it is probably a risk that can be taken as all Unix-level accouts may be trusted.
posted by jepler at 5:16 AM on February 15 [1 favorite]

Mr. Welton - this is probably clear from preceding answers, but just in case it's not: you may well be safe from "random internet user", but what you'd really have to worry about is "other web hosting user". If you're on the same server as "StalkingMax.com", for example, the owner/admin of that site, let's call her "Precocious Wicked College Girl", could possibly get access to your files that "random" could never achieve. Read the more detailed comments above for details.

That said, if you can't even create directories on the server, it may be locked down enough that that's not an issue -- but your code could be put on a different server in the future (I'm struggling through being forced to move a bunch of sites from one host to another right now, due to management issues on the old server).

So, you also have to ask yourself about how bad the consequences would be if the site *were* compromised. Factor that in to the whole risk equation.
posted by amtho at 6:46 AM on February 15

I'm confused; if you can create files in your mode 777 directory, can't you also just create a directory in that directory and then set better permissions on it?

Anyway, you have two separate problems. One is to protect files uploaded from being modified by the same user later. Unix permissions aren't going to help you with that at all. The other is to protect files uploaded from being modified by other users. A mode 777 directory puts you at significant risk for that. You mentioned a shared hosting environment, that sounds like a recipe for disaster.

If you have to go the 777 route, you're much better off if you can set the sticky bit (1777, or +t) in that directory. That way other users can't delete or overwrite your files.
posted by Nelson at 9:01 AM on February 15

Can you change the directory's owner or group to "nobody"? Then you could at least do a 774, so that other users and scripts can't overwrite or execute anything. Just you and the web user.
posted by team lowkey at 10:42 AM on February 15

Another angle is that two things combined that are sort of ok can together make a hole.

Eg, suppose you are running something else on that server which has a bug that means a user can exploit it to execute a local file. Maybe some dodgy PHP script or whatever.

Alone, that's not that useful, but your 777 directory means there's now a place for an attacker to upload that file.
posted by i_am_joe's_spleen at 11:37 AM on February 15

« Older Forgotten movie: Winter, small...   |   Is it still worth going to the... Newer »