Page 1 of 1
Directory permissions
Posted: Thu May 25, 2006 4:00 pm
by Luke
is it potentially dangerous to set directory permissions to 777? If so, are there exceptions?
Posted: Thu May 25, 2006 4:22 pm
by RobertGonzalez
Yes, it is potentially dangerous because you are giving the world read/write/execute priviledges on that folder and subsequent folders below it. A lot of times, apps will stipulate that a directory needs to be that way (like for file uploads and content editing that is file-based). There is an alternative, but it kind discriminates against shared hosting accounts. That is, when the server needs to be written to, assign the server as the owner of the folder so it can do what it needs to without the app needing permission.
I ran into this with AKA Panama Jack's Template Like compiling feature. It is actually nice to have write access to the server without having to let the world have that access as well. Of course, my server is a dedicated server and if you don't have root access, then I don't think you can change the ownership of a folder, just the permissions.
Re: Directory permissions
Posted: Thu May 25, 2006 5:24 pm
by timvw
The Ninja Space Goat wrote:is it potentially dangerous to set directory permissions to 777?
It's plain stupid (unless it's absolutely required, but untill now these situations have been very, very rare)
The Ninja Space Goat wrote:
If so, are there exceptions?
No.
Posted: Thu May 25, 2006 11:51 pm
by Luke
I have a php-based file management system that can create directories, but unless chmod is set to 777, you can't read the files from it. I am scrapping this program eventually, but for now, I'd like to keep it as secure as possible. What could I do differently than give full permissions to all? (I can't really post any code right now, but I will tomorrow when I am at work)
Posted: Fri May 26, 2006 1:08 am
by RobertGonzalez
Are you on a shared or dedicated server? What is your server software and OS?
Posted: Fri May 26, 2006 1:31 am
by AKA Panama Jack
The biggest problem with permissions isn't so much the attribute setting as it is the file and directory ownership.
Usually you will not have a problem with permissions on most shared hosting sites. This is because the ownership of files and directories created through an FTP upload or a file manager similar to CPanel will have the SAME ownership as Apache/PHP. In those cases you can usually get by with permissions set as low as 0700 (only the owner can read, write and execute).
The problem usually comes with dedicated servers where the FTP accounts have different owners and groups than the one used by Apache/PHP. So when you upload files through your FTP account the ownership of the files and directories do not match the owner or group executing Apache/PHP. Then you have to set the OTHER owner attributes for those files and directories to be accessed. That in conjunction with the owner and group attributes being set means anyone can access the files and directories.
If at all possible the FTP account should have at least the same group ownership as Apache/PHP. Then the highest attribute setting you would need is 0770 but that would mean that anything in that group could access those files and directories.
Like I said most commercial shared hosting already has everything setup so you don't have to worry about the permissions as much. But since there are so many home grown and dedicated servers that have ownership settings that aren't quite right many developers, especially of open source programs, just require 0777 for directory attributes. It's easier to do that than try to explain in the documentation how to find the ownership of the Apache/PHP process your site is using and then chown your directories to match.
Plus some dedicated and almost all shared hosting services have the ability to chmod and chown through PHP and/or FTP disabled for security reasons.
On some of my recent stuff I have just taken to using the
is_writable PHP function to check if I can write to a directory and then throwing an error detailing the problem and what needs to be done to fix it. I don't even check for permissions anymore because of the ambiguities of so many different server configurations out there.
Posted: Fri May 26, 2006 5:00 am
by timvw
The Ninja Space Goat wrote:unless chmod is set to 777, you can't read the files from it
I don't believe you. Only one of (user-group-others, the one that belongs to the the userid that is running the webserver) needs rights to read the file (and thus execute and write are not needed)..
Posted: Fri May 26, 2006 5:23 am
by Maugrim_The_Reaper
A directory should only require chmod 764 to read, files only need 744. As a rule of thumb you should try these where write permissions are not required by any user/process outside of the owner.
I find the largest problem with 777 recommendations is that they are the most permissive and assume the user can't handle permissions. I would suggest you figure out:
User Apache/PHP runs as
Whether FTP uploads files and sets Apache as owner
What permissions a file is given by Apache itself (when PHP writes one)
Whether permissive "Other" permission sets are needed (one would hope not - even if it means you need to use PHP itself to delete the files)
Something along those lines will let you profile how permissions work on your server/shared host account, letting you make more informed permission decisions. It's the worth the trouble if it will give an out from using 777.
On a sidenote, several open source PHP apps actually detect 777 permissions directly which is annoying. They report errors even when PHP can read/write under a lesser permission level.
Posted: Fri May 26, 2006 5:57 am
by jayshields
I've had problems with CHMOD before. I've often not bothered looking into the correct CHMOD to use and just slumped with 0777 - but this was only for personal use apps.
I've often had trouble with file upload/management apps where it won't upload to a directory because of permissions, and the only way I could find to solve it was to use a recursive function to CHMOD the directory and every file/dir in it to 0777, CHMOD'ing only the directory wouldn't work. One particular app I built I had to use this function everytime I uploaded a file to avoid permission errors.
Posted: Fri May 26, 2006 7:23 am
by timvw
My strategy for giving access rights is simply:
- deny everything (to myself, group and others)
- grant only what's absolutely required (not absolutely true, since i give myself the rights to read-write all my files.. And i'm sure there are some files generated by the webserver that i want to read or write)
It can take a little while to figure out which users/groups need access.
But there is no need to repeat it every time, just write a simple script that remembers all your decisions.. And then modify the script according to eventual changes... Probably not very useful, since every configuration is quite different, but it can serve as an example:
http://timvw.madoka.be/programming/bash/chmoder.txt.
Posted: Fri May 26, 2006 11:00 am
by Luke
I'm not sure I fully understand file permissions. I have set them to 755 and I can still read from the directories... I need to do some (real) reading.
Posted: Fri May 26, 2006 11:37 am
by RobertGonzalez
Here is a cool little article on file permissions. I think default permissions are 755...
Code: Select all
Owner Group User
----- ----- ----
rwx r-x r-x
So this means that the owner of the file has Read (r=4), Write (w=2) and eXecute (x=1) permissions on the file, the group that the file is owned by has Read and eXecute permission and so do all the users that are not part of the group (which I believe is where site visitors go). I think the risk that folks bring up is in the last number being 7. That means that general population folks have write access to the file/directory in addition to read and execute permissions.
I am still trying wrap my mind around this concept, but I from what I have researched, 755 or lower is a more secure way of going and 777 is not as secure as you can be.
Posted: Fri May 26, 2006 12:54 pm
by timvw
Everah wrote:I think default permissions are 755...
If you really want to know how the 'default permissions' are determined, you'll have to stfw/rtfm/... for 'umask'.
Posted: Sat Jun 03, 2006 4:10 pm
by JacekN
I have a php script that creates a log file outside of public_html directory. The file is there but the owner and group are set to a number - not my id. In my script, I do a chmod 777 on the log file and it does set those parameters but I cannot delete the file using an FTP client.
I tried chown in the same script that creates a file but it doesn't have permissions to run.
Is there a way to set the owner of at the time of file/directory creation?
Posted: Sun Jun 04, 2006 8:25 am
by timvw
JacekN wrote:I have a php script that creates a log file outside of public_html directory. The file is there but the owner and group are set to a number - not my id. In my script, I do a chmod 777 on the log file and it does set those parameters but I cannot delete the file using an FTP client.
The files are owned by the userid that executed the scripts (typically, your webserver user, usually nobody or www-data)
If i'm not mistaken you would need to give your useraccount 'write' rights to the directory that contains the 'files'...