Results 1 to 6 of 6
  1. #1
    Join Date
    Jun 2004
    Posts
    41

    Q for webhosts: what about permissions 0777?

    My host just changed their policy regarding 0777 permissions - totally not allowed now. I understand the problem, but this kills the system in place on not just my own site but many client sites. I've been using them for 5 years or so - and until recently they really have been more than a bargain.

    I've asked that perhaps they consider recompiling PHP so that we don't need 0777 at all but I just get the same answer over and over...use FTP. Well, FTP is not sufficient.

    And so I'm curious how hosts deal with folder permissions of 0777? Are there other ways to use it safely? Are there other realistic options? Are the days of allowing users to upload files/images to the server via a script coming to an end (I sure hope not)? How am I supposed to implement a caching system as well? I'm fishing here.

    I think they've given up. I can tell they are losing customers as well so I think they no longer want to put resources into something that is probably losing money (they also have more than one hosting company).

  2. #2
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    Try using the chmod of 0776 (-rwxrwxrw-). This allows Apache to read and write to the file, but prevents it from executing.

    0777 is a security risk. Anybody could execute any file that anybody else put on their website.

    The reason why the host can't have PHP run under the user/group of your data is because Apache needs to be setup to run using suexec. Obviously they can't or do not want to implement that.
    Jakiao

  3. #3
    Join Date
    Apr 2002
    Posts
    930
    If your hosting company has made this decision, then they should have measures in place. If they are going to do this, then they almost have to recompile PHP to run as CGI. Either using phpsuexec, suPHP, or a custom suexec wrapper.

    I can understand where they are coming from. Allowing 777 directories, or open directories as I call them, can be a huge security risk. You can take other measures to help prevent problems caused by having open directories, but all you are doing is trying to hide the fact that you have open directories. The best solution is always to handle an issue at the source, and the source of this is that PHP scripts are run by the web user and need to be open in order to allow for uploads. Running PHP as CGI corrects this issue.

    Some will argue that running PHP as CGI has a performance loss and is not necessary. That topic has been discussed in length in other threads. The issue here is that your webhost made a decision to change the way scripts work on the server without having a plan in place to limit the fallout of this decision.

  4. #4
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    But scripts shouldn't need 0777 access. They only need write access, which is 0776. People have just traditionally gone to 0777 since it's a nice and clean number in the chmod world. It's not needed.
    Jakiao

  5. #5
    Join Date
    Jun 2004
    Posts
    41
    Try using the chmod of 0776 (-rwxrwxrw-). This allows Apache to read and write to the file, but prevents it from executing.
    They are wiping the permissions down every six hours - back to 0755. I can't expect somebody to login every time just to up the permissions.

    Sigh...yep. I've brought them around 60 customers over the years...and they aren't so big so it's a huge percentage of their current domains (I only found out tonight how many people are currently being hosted by them). I'm really irritated that they have no backup plan to allow for this.

    I'm already searching for a new host...but transferring a bunch these sites is not going to be fun. Thanks for the thoughts folks...

  6. #6
    Join Date
    Apr 2002
    Posts
    930
    I'm not sure if 776 permissions would work. The execute bit is needed to change into that directory.

    Regardless as to whether or not 776 permissions would work or not, its still allowing the same security risk. If a PHP script on your account can write to a directory legitimately, then that means that an exploitable script on another account can also write files into that directory.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •