777 Permissions

[Zach]

I've had a custom PHP script written for me for a client's website. It has a flash uploader in the administrator's area and the developer has told me I must set my upload folder to 777 for it to work. These are JPEG files that get uploaded that need to be accessible as they are viewable from another separate page.

 

I don't pretend to know a great deal about permissions but it's my understanding that 777 is very insecure...but insecure in what way, I'm not sure. I also seem to recall that 777 may not even be allowed on TCH.

 

Can anybody help fill me in? I'm on a dedicated box if that makes any difference.

[OJB]

TCH is running the suPHP handler which means you can't/don't need to assign 777 privileges to any scripts.

 

Have a read of this thread:

 

http://www.totalchoicehosting.com/forums/index.php?showtopic=40190&view=findpost&p=244033

 

 

In terms of 777 and what it means you split those numbers into 3 separate parts.

 

Starting at the left most digit you have "user" - the owner of the file/script/directory

The middle digit corresponds to "group" - other members of the group the file belongs to

The right most digit is "other" - anyone else

 

The numbers are built up as follows:

 

0 no permission

1 execute

2 write

3 write and execute

4 read

5 read and execute

6 read and write

7 read, write and execute

 

So essentially 777 means read, write and execute for user, group and other. Which is why it is deemed a security risk.

 

Have a read on wikipedia about filesystem permissions: (en.wikipedia.org/wiki/File_system_permissions) and CHMOD (en.wikipedia.org/wiki/Chmod) and it should help your understanding

[TCH-Bruce]

He is asking about folder permissions not script permissions but similar rules applies. I would start with permissions set to 755 and see what happens. The permissions can always be adjusted if necessary.

[Bob Crabb]

It will probably work with folder permissions set to 755. I have a few sites with either upload folders or a cache folder that I used to have to set to 777 in order for cached files to be written into the folder or for user uploaded files to be written. Since TCH upgraded to suPHP, they all work set to 755.

[SteveW]

755 will do what you want.

 

With suPHP, PHP runs with the same permissions as your userID (the folder's "owner"), so the first 7 in 7xx is the one that applies to it. That is, that first 7 is what allows the owner to write to the folder, and if the owner (you) can write to the folder, so can PHP. With the first digit 7, the other two can be the more secure 5's, giving 755.

 

Without suPHP, PHP has its own userID and it runs with those permissions. In that case, it's not the same as your userID; it's "other", whose permissions are determined by the last digit of the permissions number. For it to write to the folder, that last digit must be a 7. So in that case the 777 is needed. Unfortunately, in that case, granting the 777 to PHP has the side effect of granting the same permissions to all other accounts on the same server, which is why it's a security risk.

[Zach]

755 will do what you want.

 

With suPHP, PHP runs with the same permissions as your userID (the folder's "owner"), so the first 7 in 7xx is the one that applies to it. That is, that first 7 is what allows the owner to write to the folder, and if the owner (you) can write to the folder, so can PHP. With the first digit 7, the other two can be the more secure 5's, giving 755.

 

Without suPHP, PHP has its own userID and it runs with those permissions. In that case, it's not the same as your userID; it's "other", whose permissions are determined by the last digit of the permissions number. For it to write to the folder, that last digit must be a 7. So in that case the 777 is needed. Unfortunately, in that case, granting the 777 to PHP has the side effect of granting the same permissions to all other accounts on the same server, which is why it's a security risk.

 

 

How do I find out if I have suPHP installed? I'm on a dedicated box and I seem to recall support telling me it isn't on my machine. 755 doesn't work--I already tried it. However if the security risk is just about other accounts on the same machine, since it's my box and I know what accounts are on it that's not a huge concern.

[TCH-Bruce]

With 777 permissions anyone could potentially access it (write to it) so you will want to make sure it is as secure as possible. To be sure suPHP is installed on your server open a ticket with the help desk but I am pretty sure it already is.

[SteveW]

How do I find out if I have suPHP installed?

If you run the script with permissions at 755 and it doesn't work, but it does work when they're 777, I'd consider that sufficient indication that you need the 777.

 

I'm on a dedicated box

Sorry I missed that even though you stated it clearly.

 

I seem to recall support telling me it isn't on my machine.

Entirely possible. Dedicated can be configured differently from how they do the shared accounts.

 

if the security risk is just about other accounts on the same machine,

Yes, that's all it is. If you trust your other users, it's not that big a deal. The one thing it gives you less control over is that if one account gets hacked, the hackers can get access, using PHP, to folders in the other accounts.

 

 

There are 2 ways to install PHP. Each has pros and cons. With mod_PHP (which is non-suPHP), this 777 is just the necessary configuration when you want PHP to be able to write to a folder. It's not a misconfiguration; it's just how you have to do it in that case.