Results 1 to 14 of 14
  1. #1
    Join Date
    Jun 2004
    Location
    Delft
    Posts
    99

    Question Are 777 directory permissions safe?

    Dear WHT members,

    I thought of asking your expert opinion on this matter.

    One of my customers wants to install Mambo CMS on his website.
    I have installed mambo a dozen times on different websites without problems using the normal Mambo installation guide.

    In this guide they tell you, you have to chmod a few files and directories to 777 (Full Write Read Execute Access).

    As far as I know I have never encountered problems.

    But now my customer is complaining that "Apache cannot write to the configuration files."
    He asked me to "add the apache user to his group".

    I told him it is not needed because if you follow instructions you will eventually need to chmod directories to 777 for some Mambo components.

    He is now complaining that "it is the most unsecure thing ever to do, you should NEVER chmod to 777 because your server and all the websites will be vulnerable"

    He is insisting he wants to have apache added to the same group his website is running on.

    After searching the web I could not find a specific answer on this matter. I personally don't think a 777 directory is a problem if you have a .htaccess file configured and other options configured.

    But maybe you guys can correct me ???

    (and on a side matter. Should I add apache to a group or is this just "not done"???)

    Thanks in advance!
    http://www.MKEweb.com
    The Netherlands

  2. #2
    Join Date
    Mar 2005
    Location
    Hattiesburg, MS
    Posts
    159
    Not 100% sure about the 777 thing, I would kind of like to hear from someone on that myself. But to answer your other question, there is no way I would change what group the apache user is in just because this guy thinks that is what needs to be done. I would explain to him that there are other user's on the same server and changing something like that just can not be done on a shared server. That is just my thoughts on the matter.
    InsanelyMacintosh - Macintosh Software Repository Listings

  3. #3
    no it is not safe

  4. #4
    Join Date
    Oct 2003
    Location
    Israel
    Posts
    132
    You can read a small article on this topic here:

    http://www.simplemachines.org/commun...p?topic=2987.0

  5. #5
    Use perm's 755, not 777, much safer and should work.

  6. #6
    Join Date
    Aug 2004
    Location
    Southern NYS
    Posts
    533
    Yeah, definitely try 755 first. Only go to 777 as a last resort.
    PacketAce
    Because packets were meant to be delivered.
    Premium Mzima Bandwith at Equinix - Secaucus, NJ

  7. #7
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,953
    If it needs to write files to the directory, 755 will fail. Maybe you meant 766 (rwx-rw-rw)?
    Having problems, or maybe questions about WHT? Head over to the help desk!

  8. #8
    First try 700, then 750, then 755, then 775, then 777.
    You should never really need 777, whether the apache child process is running as the user or apache user. In fact, 700 might do the trick if you use suphp (although I don't, so don't take my word for it).
    If you run apache without suphp (and no phpsuexec), then you should be ok with 775.

    Please note that this will not secure your server. Additional steps must be taken to harden your server.
    Pierre Grandmaison
    Offering 24/7 Toll Free Telephone Support
    Zenutech Web Hosting
    http://www.zenutech.com

  9. #9
    755 will work if PHPSuExec is enabled. We thought about enabling it, but, I'm afraid of scripts it might break.

  10. #10
    Join Date
    Jun 2004
    Location
    Delft
    Posts
    99
    Thanks for the answers. From what I read on a another forum is that 777 is "as safe as the script running on the server". So if the scripts are not well coded, they could use the vulnerabilities. But since I've been using mambo I must say it seems rather safe to me. Most directories that you have to give 777 permissions are directories where site visitors upload images. So If someone get into that directory I don't see the problem. (there are no files, configurations etc only images).

    Also I don't believe that everyone using Mambo is asking his/her host to make changes win the apache group. So it should work without making these changes.
    http://www.MKEweb.com
    The Netherlands

  11. #11
    Join Date
    May 2005
    Location
    Bohemia, NY
    Posts
    61
    Originally posted by ZapX Technologies
    755 will work if PHPSuExec is enabled. We thought about enabling it, but, I'm afraid of scripts it might break.
    It's better to work these problems out now rather than when you have more customers to conceivably break. The longer you wait to resolve a technical issue as a growing service provider, the more difficult you're going to make it on yourself. My company has been down this road plenty of times. Just grit your teeth and do what needs to be done.

    Regarding this particular issue, think of it this way: is it more trouble sending out a notice to your customer that some security settings have been changed on the server and that they should notify you if anything goes wrong, or to have some fourteen-year-old kid with a stolen credit card upload a 1k script that overwrites every world-writable file on your servers because you trusted in the fact that nobody would do anything malicious while your server is wide open? There is absolutely no good reason not to be using suexec for all scripts running on your shared servers.

  12. #12
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Tomer,

    That was very well written, I enjoyed their writing style.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  13. #13
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Adding the apache user (be it "apache", "httpd", "www" or whatever) to their group would work, but isn't really recommended. Its a little messy. and with many standard kernels and utils a user can only be a member of 32 groups (at least in 2.4 this was the case, dont know now), so if you do this you'll run into trouble a little down the road anyways.

    Look at suphp or similar, thats a good way to get a more secure php environment (i know suphp has its own security implications of course, but lets not go there in this thread ). If this is done right it wont break many scripts at all. The most common problem is that some scripts are world or group writable which suphp doesn't allow. Finding these and fixing them in advance isn't too hard.

  14. #14
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    To be clear, the "server" and "all web sites" would not be vulnerable. Any files or directories that would allow world to access them to modify or delete them would be at risk, but that's about it. Anyway, as others have stated, suexec for scripts (PHP as CGI) is the more secure solution, by either implementing your own hack to the code (be sure you know what you're doing if you try this), or using some alternative such as suphp. There are other advantages to this besides security that I won't bother getting in to, but there are also some (few) disadvantages, which are pretty trivial, depending on how it's implemented.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •