Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : what is bad if I leave 777

[Glostar]

Website script requires to put permission from 777 to 644 after all job will be done.
but as i need permanently changes in files, i wand just leave it 777.

Can i leave 777 ? and please if i do this is bad with 777 and how it damage website?

[amr922]

777
means
owner,group,world
can read,write,execute in this folder
thats mean any php script or another script can write and execute in this folder



Regards ,

[bueno]

if you are not securing your sever well, it's better to avoid 777

[Glostar]

Quote:

Originally Posted by amr922

777
means
owner,group,world
can read,write,execute in this folder
thats mean any php script or another script can write and execute in this folder



Regards ,

but can website visitor change files or folder content without login? FTP ot control panel?

[Glostar]

Quote:

Originally Posted by bueno

not securing

why it is not secure? what can visitors do bad?

[macooper]

It depends on your situation. If you are on a shared host, it means anybody else on that server can upload to your webspace, including uploading scripts for sending spam, worms and other nasties.

It really means that your site is as secure as the least secure script on the server, so you are dependent on other people using the same server keeping all their scripts upto date.

Also, someone could overwrite your configuration settings breaking whatever script it is the config for.

[amr922]

Quote:

Originally Posted by Glostar

but can website visitor change files or folder content without login? FTP ot control panel?

i mean any php script can upload and execute in this folder


(world = all users on your system )





Regards ,

[Glostar]

Quote:

Originally Posted by amr922

i mean any php script can upload and execute in this folder

(world = all users on your system )

what does it mean "world"? website visitors from outside ? or all other users who has ftp accounts with me?

[bear]

Anyone. On the server, visiting from anywhere in the world...anyone.

[Glostar]

Quote:

Originally Posted by bear

Anyone. On the server, visiting from anywhere in the world...anyone.

"visiting from anywhere in the world" really ? can change/ delete files in directory with http protocol ? it is unbelievable ?

[amr922]

every page users opening open apache process with apache user
i mean any process can access read,write and execute in this folder
thats mean any php scripts on server can access this folder

regarding ftp accounts yes they can access it but chroot fixing that if it enabled

sorry for my English
Regards ,

[SPaReK]

Quote:

Originally Posted by macooper

It really means that your site is as secure as the least secure script on the server, so you are dependent on other people using the same server keeping all their scripts upto date.

This is probably the best way to describe this.

Directories that have permissions of 777 are generally fine, if every single account on your server keeps each of their individual scripts up-to-date and free of any exploits. In practice, this is not seen very often. You would also have to have some semblance of trust with all users on the server.

A directory that is set to 777 means that any user on the server would be able to write or create files in that directory. Outside users would not be able to, unless they are exploiting a script somewhere on the server (see above paragraph).

If you are running a server and you are only hosting 1 single account on that server, then issues with 777 directories become less of an issue. This is because if you fail to keep your scripts up-to-date, you only have one person to blame, the owner of that account. That script might become exploitable, but again, that is the problem that the account owner should have taken care of.

For example, if you are running mod_php (PHP as an Apache module) then PHP will run as the Apache user (commonly nobody). If there is just one account on the server, username bob, then if that account has a gallery script that requires 777 directories and has another script that is not being kept up-to-date, then when that script is exploited, an outside user would be able to exploit that script and write to those 777 directories pertaining to the gallery script.

If PHP is running as CGI, then PHP scripts would be executed as the bob user. Directories would not need to be 777, because directories would be owned by the bob user and directories that are owned by bob and have permissions of 755 would have sufficient permissions to handle PHP uploads. However, if the second script was exploited, then that PHP exploit would be running as the bob username as well, and it would be able to write to files anywhere on the bob account.

Probably if you are running a dedicated hosting account, a server with just one account and that is it, running mod_php is your best option. Mod_php will likely give you better performance and while you will have to have 777 directories, as long as you keep the scripts on the account up-to-date (like everyone should do) then it should not pose a problem, certainly no advantage in using PHP as CGI.

If you are on a shared hosting environment, where a server hosts many accounts, then the same cannot be said. In that case, PHP as CGI is probably best. Otherwise a PHP exploit on john's account on the server could be used to write files to bob's gallery 777 directories.

[brianoz]

Mode 777 is asking for trouble - and that's something you don't need to do, there's no reason to leave it that way. Listen to what Sparek's well written post said much better than I can

[Timeprism]

777 means anyone who has access to your server can read, write, execute, do bad stuff in that folder.

[vivianmark]

I am running Wordpress, there is a folder (wp-content) with 777.

Is there any danger with 777? Am I safe from hacking by other users as I am on a shared hosting.