chmod 777 security risks?


 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers chmod 777 security risks?
# 1  
Old 11-22-2006
chmod 777 security risks?

Hello all,

I did a considerable search of the forum and didn't find an answer so I'll ask it here. For clarity's sake I'll state that I know just enough about Unix to be Dangerous (I'm an old Clipper, VO, ASM programmer from the 80's.)

I would like to install PHP driven CMS program to my webserver (iPowerWeb hosted) called SnippetMaster (http://www.snippetmaster.com/) to allow my business partner the ability to modify webpages without messing up the core file templates (I use includes for dynamic content) but one of the requirements of SnippetMaster is that I must chmod 666 or 777 ALL of the files in ../public_html directory that I want my partner to be able to modify. It doesn't require that I chmod 777 the directory it self.

They (http://www.snippetmaster.com/) openly claim and challenge anyone to prove them wrong that chmod'ing files with 777 in the public html directory is safe as long as my server is secure, they claim that only a person who can "log on" to my server and who has access to my root directory can overwrite an existing .shtml or .html file (such as index.shtml) or overwrite an existing PHP script with a potentially hazardous one and execute it. I don't believe this, I have a very strong feeling that this is patently wrong but after Googling for the last 2 hours I have found answers that both support and discourage this practice so I thought I'd ask the experts.

1) Is chmod'ing "files" in ../public_html to 777 or 666 a safe practice?

2) Can files be over written by people surfing the web (exmp: and simply using composer to edit then save the file back to the server?)

Please explain how this works if it is in fact a safe practice...

Your help would be greatly appreciated.

Best regards,

Gary
# 2  
Old 11-22-2006
In theory it's correct, in practice not really.

To make a comparison, It's like leaving the keys in your car bacuse it is in a locked garage.
# 3  
Old 11-22-2006
Thanks - Can you tell me more?

Thanks for the reply, can you elabaorate just a bit?

Are you saying that unless a person (perhaps a hacker) has access to my shell account or FTP access to my server then he really can't harm the existing .html and .shtml files that I would chmod 666 or 777?

It seems to me that regardless of how I chmod the files in public_html, if a hacker gains access to my server he would be deduction have access to dirs deeper than /public_html right?

Ok, I just did an experiment, I chmod 777'ed an html file and tried to edit and publish it with Composer, if I don't enter a user name and password for the FTP upload it will not let me write the file. It also says the directory is password protected which I expected.

Is it possible for someone to hack this chmod'ed 777 file? I understand that it would not be wise to explain how in a public forum but I simply can't upload that application until I am certain my site will be safe.

Also, is it possible for anyone not on my server to tell what the write permissions are set to?

Thanks and regards,

Gary
# 4  
Old 11-22-2006
You are thinking only of shell access. There may be other ways that a cracker might use. These do not necessarily involve using a shell account. Crackers use many different ways to deface sites/steal info/do whatever.

Quote:
Originally Posted by reborg
It's like leaving the keys in your car bacuse it is in a locked garage.
To put it in the context of reborg's quote, what you are doing is assuming that the garage is locked, so the car is safe. What happens if the garage is broken into?

And about giving your business partner permissions to change the files, can't you just set access control lists (setfacl/getfacl on Solaris)?
# 5  
Old 11-23-2006
Thanks Blowtorch

Thanks for the reply Blowtorch,

I am still not clear about the answer though... Lets say someone broke into my garage and the files were not chmod'ed 666 or 777, (all files are 644 right now) are you saying that all they can do is look around and read files? But if the files were 666 or 777 they could do whatever they want to?

Are you also saying that it's possible to gain access to public_html (for instance) but not the root directories?

Ok, regarding my partner, he is not computer savvy but he knows a little HTML, SnippetMaster allows users to "edit LIVE html in the page" from their browser, you can define "snippet" areas within a page that are editable, there are different user levels where you can set different rights/areas that they can edit (it's actually very cool!) The user doesn't need to know; how to use FTP, how to upload or how to do other backend tasks, they just log-in and edit parts of a live page in a WYSIWYG editor within their browser. I use a lot of SSI, PHP, JS and CGI code on our web site and it's possible he could really mess things up if he has upload access.

Lastly, let me ask a question, should I absolutely not chmod 666 or 777 my .shtml and .html files? I guess I could chmod only the base html files that I include via SSI but that means a LOT more work for me...

Happy Holidays!

Gary
# 6  
Old 11-23-2006
The point we are making is this:

With chmod 777, you are giving all rights on all the files to ANY user.

Lets say a hacker managed to find an exploit which allows him to gain some kind of access to your server through a vulnerable service, which allows him to execute code as the user of the service.

If the last 6/7 is there it means he can change your files regardless of which user he gets access as. (The keys are in the car)

With the second 6/7 if means that anyone in the group can change the files. (You given someone the valet key to the car)

With only the first 6/7 you (the owner) only can make the changes. ( the key to the car is in your pocket)

So as you can see, someone malicious has more to do in each case, before they can change your files.
# 7  
Old 11-23-2006
No matter what are the reasons, 777/666 is always a bad idea. There are other ways of allowing access to files (groups, ACLs) as said before.
Quote:
Lets say someone broke into my garage and the files were not chmod'ed 666 or 777, (all files are 644 right now) are you saying that all they can do is look around and read files? But if the files were 666 or 777 they could do whatever they want to?
That's right. No matter what method was used to get acces to your files, in fact user's privileges are irrelevant in this case. From my point of view this is the main reason against "777/666".
Regards.
 
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Only allowing chmod 777 for file upload folder

Hey everyone. I have 2 different linux servers (each one is through a different web hosting company). On both servers I have the exact same PHP file upload script that allows users to upload a file or image to the server (everything on both servers is identical). On server #1 the "attachments"... (5 Replies)
Discussion started by: Mr.Canuck
5 Replies

2. Windows & DOS: Issues & Discussions

chmod -R 777 * in cygwin

Hello, I use windows XP on a small server. Lately I downloaded a software (hydrological computation) which asked me to install as well the software ‘cygwin' (kind of linux in windows environment) and then to perform in cygwin window the command: ‘chmod -R 777 *' in order to give writings... (2 Replies)
Discussion started by: Cedalise
2 Replies

3. UNIX and Linux Applications

What is the difference between chmod in solaris and chmod in Linux?

i think it is the same in both... Iam i right? (1 Reply)
Discussion started by: sumaiya
1 Replies

4. Cybersecurity

can another user 777 and existing 777 dirctory?

User usrA creates dirA directory and runs chmod 777 on the directory. Can usrB issue another 777 on dirA? It appears the answer is no even if the usrA and usrB are part of the same group. I know this is a rare scenario but I just ran across it and found out that usrB receives an error when... (4 Replies)
Discussion started by: zlek131
4 Replies

5. UNIX for Dummies Questions & Answers

chmod 777 * - oops

I can belive I really did this... chmod 777 /home :eek: I have my /home directory synced to another machine. Can anyone tell me how to get the permissions from back up server /home to production server /home It's important that I dont over write the files on the... (1 Reply)
Discussion started by: shunter63
1 Replies

6. Solaris

chmod -R 777 in /usr Solaris 9 = Major Screwup

Hello Everyone: One of our admins here accidently ran chmod -R 777 in the /usr folder on a V440 running Solaris 9. After that no one could run any command and could not login. I fixed most of the things by re-restricting some rights and applying the correct rights. Now there is a problem... (3 Replies)
Discussion started by: muntaser_zaheer
3 Replies

7. UNIX for Dummies Questions & Answers

chmod 777 on all directories below...how do I do that using the "find" command?

I've got 100 directories that each have 2 directories with in them. Structered like this: /home/domains/domain1/ through to /home/domains/domain100/ and those 2 directories mentioned above are here: /home/domains/domain1/directory1/ /home/domains/domain1/directory2/ through to... (7 Replies)
Discussion started by: Neko
7 Replies
Login or Register to Ask a Question