folder (not root) permissions set to 777 - security risk

wmcelwee

I am working on a site where I need registered users to be able to upload images. I had some permissions problems on the server that is hosting the site and my only option without recoding the whole image upload system is to set the folder to 777. the folder actually exists at public_html/images/777_folder. What security risks does this pose if any? There are only images in this folder (if that matters) and the only files that exist there are user uploaded ones. Any help is appreciated.

EDIT:

The users can log in, go to thier pic manager and upload files

Here is a sample of some of the code...

$uploaddir = "images/777_folder/";

$uploaddir = $uploaddir . "$subdir/";

//If the directory doesn't exist, then make it and a thumbnail folder called 'th'
$checkdir = Is_dir($uploaddir);
if (!$checkdir)
mkdir($uploaddir, 0755);

$thumbdir = $uploaddir . "th/";
$checkdir = Is_dir($thumbdir);
if (!$checkdir)
mkdir($thumbdir, 0755);

The problem (I think the code is good... it works on my local machine, not the webserver) seems to be with the first mkdir(). The odd thing to me is that if the first mkdir() (directly under the 777_folder) works, then the thumbnail folder is created fine in a 755 folder. So, the first mkdir() needs to be in a 777 folder, but the second mkdir() works fine in a 755 folder... meh... sorry for the confusing description.

TheDefender

Well, the directory is only as secure as you make it...
You can use .htaccess to restrict browsing the folder contents, or drop an index.htm file into each directory when you make it, so someone can't browse to the folder to see it's contents.

I personally try to avoid a 777 if possible.

Check out this forum post...
http://www.simplemachines.org/community/index.php?topic=2987

This may shed some light on things for you...

wmcelwee

I have tried to browse to it directly and it is restricted, but there are people out there who know a lot more about accessing files on webservers than I do, so I wasn't sure if there might be a different way to get in other than a web brower.

I will check out the link, thanks 🙂

EDIT: nice sig

TheDefender

If they want to get in, they'll get in anyhow. I guess, since I'm not doing any kind of high level, national security stuff, I don't concern myself outside of the basics. I mean we leave our house with the doors locked believing our stuff is safe, but if a robber wants in, they'll get in; right? You can only do so much to protect yourself... No sense in worrying if you take the appropriate measures.

EDIT: nice sig

Thanks...

wmcelwee

yeah, thats true, I think it is as secure as it needs to be.

Thanks for your help 🙂

ElectricRain

If it worries you, why dont you cmod it to 777 when you need to write to it, and then back to a more secure permission when youve finished?

cricher

well, if people are uploading files im presuming that you are gonna allow them to see them by putting them on a page somewhere so basically if some one is seeing them they can just press save_as anyway. if you were storing anything more potentially dangerous then avoid 777 at all costs, but i use it for my upload script and just have every other folder only viewable

bokehman

If the server is properly set up using SuExec 0777 permissions are unnecessary. On the other hand if the server is set up so the owner of the uploaded files is "nobody" or similar whoever set up the server couldn't care less about security. This means any other user of the server has access to your SQL passwords etc and can write to any 0777 directory within your webspace.