adwatson
msg:3543207 | 4:10 pm on Jan 8, 2008 (gmt 0) |
I'm no security expert, but I know that 777 is generally bad news (full read/write for any user/group) - but 755 is usually ok, as it gives full rwx only to the owner (apache). In any case it's definitely better than 777.
|
The Contractor
msg:3543211 | 4:17 pm on Jan 8, 2008 (gmt 0) |
You normally have to assign 777 to any directory/folder that can be manipulated by a script (adding/deleting/renaming of subdirectories/subfolders where script generated content is stored). I see no problem with this as it's quite common. It's the script files that need security...
|
phranque
msg:3543665 | 1:11 am on Jan 9, 2008 (gmt 0) |
apache-owned and 755 permissions would be way better than 777.
i would wonder why the server or MT needs write permission for the root directory.
it would be better to understand and solve the problem securely than to settle for whatever works first.
|
vincevincevince
msg:3543681 | 1:53 am on Jan 9, 2008 (gmt 0) |
Your particular server setup will make a large difference to how much of a risk 777 is. A dedicated server with appropriate additional safety measures in place and a good chroot can make it acceptably safe for many people.
|
Birdman
msg:3543691 | 2:17 am on Jan 9, 2008 (gmt 0) |
It's bad! You stand a good possibility of being hacked. The good news is, if you can make Apache(nobody, 99) own the files or directories that get written to, then you can put the directories back to 755. So, I've basically repeated what phranque said :) Marty
|
|
