Lots of security issues, personally I would strongly advise your client to switch to a different gallery script. If the client is on a dedicated server then advise them there are security risks and if they choose, then when their server gets compromised, you can charge them up the wazoo to fix it all...
I assume you know 777 gives *everyone* and *everygroup* full permission to do *everything*
There is another thread in this forum which covers the topic of /tmp and the security issues, see linux-tech's post at the end:
Actually, theres a difference between my comments and what the thread starter is after. In the end, your users will need (at minimum) write access to /tmp . Why? Because sessions are usually saved to /tmp , and other things as well.
777 for /tmp is allright, IF you have it mounted noexec, and is probably a requirement for a lot of things. Here's why.
The linux FS handles things a bit differently than most would think, and, personally I think it's a bit backwards. In order to descend into a directory, that directory must be executable to the user. R(ead) and W(rite) doesn't cover it, E(x)ecutable must be added to the mix.
Now, let's take this one step further here. Let's say you have php applications that (wisely) require sessions. Well, without /tmp being a+rxw, you're not going to be able to write your session data.
Let's say, again, like in this case that you have an application like gallery that needs to write to a temporary directory. Sure, gallery gives you the option of having your own temp directory (as do most smart applications), but /tmp is always going to be default. In order to use those fully, again, you'll need to have /tmp run as 777.
There's a difference between setting /tmp to 777, and why it's required on most linux systems, and allowing executable files in /tmp. Mounting /tmp noexec is always the safe bet, as is creating a symlink from /var/tmp to /tmp , and making sure that /dev/shm is mounted noexec. Those are 3 of the top places for things.
Unfortunately, this doesn't really "secure" your server that much more, but it prevents (most) stupid kiddies from setting up shop using the default scripts. Of course, they're getting smarter now, and using perl, which just can't be prevented, sadly. Not anyways, at least
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!