Hello all,

I did a considerable search of the forum and didn't find an answer so I'll ask it here. For clarity's sake I'll state that I know just enough about Unix to be Dangerous (I'm an old Clipper, VO, ASM programmer from the 80's.)

I would like to install PHP driven CMS program to my webserver (iPowerWeb hosted) called SnippetMaster (http://www.snippetmaster.com/) to allow my business partner the ability to modify webpages without messing up the core file templates (I use includes for dynamic content) but one of the requirements of SnippetMaster is that I must chmod 666 or 777 ALL of the files in ../public_html directory that I want my partner to be able to modify. It doesn't require that I chmod 777 the directory it self.

They (http://www.snippetmaster.com/) openly claim and challenge anyone to prove them wrong that chmod'ing files with 777 in the public html directory is safe as long as my server is secure, they claim that only a person who can "log on" to my server and who has access to my root directory can overwrite an existing .shtml or .html file (such as index.shtml) or overwrite an existing PHP script with a potentially hazardous one and execute it. I don't believe this, I have a very strong feeling that this is patently wrong but after Googling for the last 2 hours I have found answers that both support and discourage this practice so I thought I'd ask the experts.

1) Is chmod'ing "files" in ../public_html to 777 or 666 a safe practice?

2) Can files be over written by people surfing the web (exmp: and simply using composer to edit then save the file back to the server?)

Please explain how this works if it is in fact a safe practice...

Your help would be greatly appreciated.

Best regards,

Gary

In theory it's correct, in practice not really.

To make a comparison, It's like leaving the keys in your car bacuse it is in a locked garage.

Thanks for the reply, can you elabaorate just a bit?

Are you saying that unless a person (perhaps a hacker) has access to my shell account or FTP access to my server then he really can't harm the existing .html and .shtml files that I would chmod 666 or 777?

It seems to me that regardless of how I chmod the files in public_html, if a hacker gains access to my server he would be deduction have access to dirs deeper than /public_html right?

Ok, I just did an experiment, I chmod 777'ed an html file and tried to edit and publish it with Composer, if I don't enter a user name and password for the FTP upload it will not let me write the file. It also says the directory is password protected which I expected.

Is it possible for someone to hack this chmod'ed 777 file? I understand that it would not be wise to explain how in a public forum but I simply can't upload that application until I am certain my site will be safe.

Also, is it possible for anyone not on my server to tell what the write permissions are set to?

Thanks and regards,

Gary

You are thinking only of shell access. There may be other ways that a cracker might use. These do not necessarily involve using a shell account. Crackers use many different ways to deface sites/steal info/do whatever.

To put it in the context of reborg's quote, what you are doing is assuming that the garage is locked, so the car is safe. What happens if the garage is broken into?

And about giving your business partner permissions to change the files, can't you just set access control lists (setfacl/getfacl on Solaris)?

Thanks for the reply Blowtorch,

I am still not clear about the answer though... Lets say someone broke into my garage and the files were not chmod'ed 666 or 777, (all files are 644 right now) are you saying that all they can do is look around and read files? But if the files were 666 or 777 they could do whatever they want to?

Are you also saying that it's possible to gain access to public_html (for instance) but not the root directories?

Ok, regarding my partner, he is not computer savvy but he knows a little HTML, SnippetMaster allows users to "edit LIVE html in the page" from their browser, you can define "snippet" areas within a page that are editable, there are different user levels where you can set different rights/areas that they can edit (it's actually very cool!) The user doesn't need to know; how to use FTP, how to upload or how to do other backend tasks, they just log-in and edit parts of a live page in a WYSIWYG editor within their browser. I use a lot of SSI, PHP, JS and CGI code on our web site and it's possible he could really mess things up if he has upload access.

Lastly, let me ask a question, should I absolutely not chmod 666 or 777 my .shtml and .html files? I guess I could chmod only the base html files that I include via SSI but that means a LOT more work for me...

Happy Holidays!

Gary

The point we are making is this:

With chmod 777, you are giving all rights on all the files to ANY user.

Lets say a hacker managed to find an exploit which allows him to gain some kind of access to your server through a vulnerable service, which allows him to execute code as the user of the service.

If the last 6/7 is there it means he can change your files regardless of which user he gets access as. (The keys are in the car)

With the second 6/7 if means that anyone in the group can change the files. (You given someone the valet key to the car)

With only the first 6/7 you (the owner) only can make the changes. ( the key to the car is in your pocket)

So as you can see, someone malicious has more to do in each case, before they can change your files.

No matter what are the reasons, 777/666 is always a bad idea. There are other ways of allowing access to files (groups, ACLs) as said before.
That's right. No matter what method was used to get acces to your files, in fact user's privileges are irrelevant in this case. From my point of view this is the main reason against "777/666".
Regards.