I'm not sure that is correct. Execute permission on a directory mean that you can traverse it. Try setting a folder on an Apache web server to chmod 444, (r--r--r--) and then try to pull it up on a browser. You will get a forbidden error regardless of who the folder is owned by.Maugrim_The_Reaper wrote: Directories do NOT require execute permissions. Read allows access to internal files, or a file listing. Execute permissions allow it to be set as a working directory, i.e. accessed via ssh or other. So 777 is not a good setting for a directory.
It's not the php application that requires the high permissions on a folder. A folder is accessible (by a script) just fine with 555 (r-xr-xr-x). If you have a script which needs to write to that folder though, you have to make the directory writeable by the user the script is running under. If the script user was the owner of the folder, the script would work just fine (reading and writing to the folder, not running from the folder) with permissions as low as 644 (rw-r--r--), but with permissions that low, you again run into the problem that the directory is no longer traversable by apache, and internet users will get a forbidden error. In order for users to be able to access the files in the folder, the folder must have execute (traverse) permissions, which brings you back up to 755 (rwxr-xr-x) at the very least. On top of all that if Apache isn't running under the same user who owns the folder, (which it hardly ever is) your back up to 777 again just to get it working. That is why.
This is true. Unless a php script requires write access to itself, it should run just fine at 555 (r-xr-xr-x). An upload script would be fairly secure IF it chmod'ed all uploaded files to something like 444 (r--r--r--). You could even go as far as running a cron job to verify permissions.Maugrim_The_Reaper wrote: Not even files need 777 in most cases. If an application states that as a requirement there's a good chance its dead wrong and its encouraging you to practise bad security. Unfortunately its common...