Jump to content

Chmod 777

click

By click
in Security Discussions

 Share

Recommended Posts

click Enthusiast

click

Posted
Posted

Anyone have any idea where the topic "777 And Some Files Created Yesterday" went? I had been anticipating a reply from TCH-Andy about this issue but that thread seems to have vanished.

 

Anyhow, on to my question... TCH-Andy seemed to say in that thread that php scripts could edit files as their owner without resorting to chmod 777. Is that correct? And if so, how would I do that? I searched the forums and found a couple threads that said that TCH doesn't use suexec due to compatibility problems. Right now, if I want users to be able to upload anything (forum avatars, photos, etc) I have to chmod 777 those directories which I would rather not do if I don't have to.

 

Thanks...

 

-Steven

Link to comment
Share on other sites
TCH-Andy Grand Master

TCH-Andy

Posted
Posted

Hi Steven,

 

I was away for a few days over the festive season - hence a shortage of replies....

 

If you set the user of the directory to "nobody" (assuming you are uploading via the script), you can then set the permissions to 755. This will allow the script running on the server to write, but provide you some protection against anybody being able to write.

Link to comment
Share on other sites
click Enthusiast

click

Posted
  • Author
Posted
I was away for a few days over the festive season - hence a shortage of replies....

That's no problem at all, I certainly wasn't complaining. I was just a bit perplexed when I came back to check the thread for replies and found that it seems to have been removed or something??? Oh well... Hope you had a wonderful Christmas.

 

If you set the user of the directory to "nobody" (assuming you are uploading via the script), you can then set the permissions to 755. This will allow the script running on the server to write, but provide you some protection against anybody being able to write.

Now, on to my next obvious question. :) How do I change the user? And will that affect me being able to work with it later, since I won't be the owner any more?

 

Thanks...

Link to comment
Share on other sites
TCH-Andy Grand Master

TCH-Andy

Posted
Posted
How do I change the user? And will that affect me being able to work with it later, since I won't be the owner any more?
If you created it with a script - the owner will be nobody anyway.

 

If you need to change it - open a ticket at the help desk (link at the top of the page) and ask us to do it for you. Yes, it will change your ability to do some things, but at least it will be secure, and you can always ask us to set it back if you need something changed later.

Link to comment
Share on other sites
click Enthusiast

click

Posted
  • Author
Posted

So, basically, I just create a temporary php script to create/manipulate any directories I need php scripts to have write access to?

 

Also, is avoiding chmod 777 simply for redundancy or are you saying that making files/directories 777 allows anyone on the server to write to them? Is there anything that stops users from accessing files outside their home directories? I ask because my scripts are chmod 755 and contain login info for mysql databases that I wouldn't want others to be able to read.

 

Thanks for all your help. The more secure the better...

Link to comment
Share on other sites
TCH-Andy Grand Master

TCH-Andy

Posted
Posted

If you need to manipulate any directories that are owned by "nobody", please just open a ticket at the help desk. Creating a php script to effectively perform shell commands would be against out AUP and ToS.

 

Yes, 777 allows anyone to write to them. 755 is restricting write access to the owner, but you have still given read access to group and world - (owner,group,world). We do have protection on the servers though preventing access between accounts.

 

In terms of 100% security - if you want to be 100% certain that no-one else can ever read it, then don't put it on a computer connected to the internet :thumbup1: If you want a realistic balance of security, then simply changing to 755 from 777 will be a good start. You do of course need to then ensure that your scripts which give people permission to upload files, do all the correct checks to ensure they do not use these to upload their own scripts onto the server...

Link to comment
Share on other sites
click Enthusiast

click

Posted
  • Author
Posted
If you need to manipulate any directories that are owned by "nobody", please just open a ticket at the help desk. Creating a php script to effectively perform shell commands would be against out AUP and ToS.

Doh! Now this conversation can be complete. If there's a way to get into trouble, somehow I manage to find it. :thumbup1:

 

Yes, 777 allows anyone to write to them. 755 is restricting write access to the owner, but you have still given read access to group and world - (owner,group,world). We do have protection on the servers though preventing access between accounts.

 

In terms of 100% security - if you want to be 100% certain that no-one else can ever read it, then don't put it on a computer connected to the internet :angry: If you want a realistic balance of security, then simply changing to 755 from 777 will be a good start.

That's what I figured. I just wanted to make sure I wasn't doing something that I shouldn't be. I didn't want to do something that compromised the server for everyone because I didn't bother to figure out how to do it correctly.

 

Again, thank you for taking the time... it's very much appreciated.

Link to comment
Share on other sites
TCH-Andy Grand Master

TCH-Andy

Posted
Posted

once chown'd to user:nobody, they would be owned by nobody rather than you.

 

Id just get us to change the owner of the small number of directories you need changed (after all, you only want people uploading to a very small number of directories if any :thumbup1: ). ie. If you have a directory for uploading avatars in a forum - I'd ask us to change that one to nobody, but I'd leave the rest as owned by you - and then no one else can write to them (including scripts).

 

Changing to 775 wouldn't help, as "you" and "nobody" are in different groups.

Link to comment
Share on other sites
click Enthusiast

click

Posted
  • Author
Posted

Dangit - I really thought I was on to something there. :) I read somewhere that cpanel sets public_html to USER:nobody 750 to give apache access but keep other users out and ran with it. I guess that's why you get to administer the servers and I... well... don't. :D

 

Anyhow, I think it's time to finally let this thread die. :blush:

 

Thanks so much for your patience.

 

Oh yeah, and... :naughty:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...