Security issue

thoand

What are realy the security pitfalls of change a directory/file to 777,

Primary I use a hosting service for small projects which involve file uploading and therefore I have to change the mode on the directory.

Anyone with toughts to share here.

best regards Thomas A

trooper

777 means

EVERYONE can run the script
EVERYONE can delete the files
EVERYONE can do ANYTHING with the file / dir

HTH

thoand

but I guess that is only from within the system, from a web browser people with bad intentions can't do anything harm, right?

I guess a lot of folks have their eg. image directories with 777 for doing fileuploading.

Does that mean if I know somebody on the same server as I am using, and I know they do file uploads a their 777 mode directory I can delete it with my acount?

maybe I should do chmod the directory with the FTP functions (777 before uploading and 755 afterwards)

Thomas A

superwormy

Originally posted by thoand

Does that mean if I know somebody on the same server as I am using, and I know they do file uploads a their 777 mode directory I can delete it with my acount?

Thomas A

Yes, you are more than likely correct.

magnafix

Unless of course your host runs PHP on their shared system in a chrooted/suexec'd environment, which has the benefits of:

your scripts run as your user, no need to EVER use 777 perms (security)
FTP path is same as shell path and PHP code path (simplicity)
there is no way for customer A to read, modify, or delete customer B's code. (security)
every customer has their own /etc/php.ini to play with (flexibility)

😃