Is a password-protected folder with 777 file permissions secure?

Nope. This means anyone in the world can write to that file. It's not secure one bit.

Not only can anyone in the world write to it, but anyone in the world can execute it too.

Password protecting it *may* secure it temporarily, but there's no promise of that. I would recommend taking a step back and fixing the problem within your admin.

Wouldn't they need the username and password first to write and execute it?

Also, what if I moved my admin out of the public realm like so:
Current path: /home/username/public_html/admin
new path: /home/username/admin

Either way, I'll spend some time trying to fix the problem the correct way as you suggested. Still interested in answers to the above questions though. Thanks.

bump

We are talking about two different things here. The password protection is provided by the server (Apache or whatever) and the file permissions are checked by the OS (Linux or Windows). Yes people will be prompted for a password when they try to surf into that folder on http. However, if they come in any other way, such as SSH or FTP or etc, then they have full access.

Hope that helped.

The end result here is that having permissions set 777 is an accident waiting to happen. I would urge you to seek out an answer that does not require 777 permissions. You might end up lucky and nothing bad will happen if you password protect it and leave it 777, but it's a pretty big risk. And as mentioned above, password protecting it will only protect the file from public webserver users. Trying to isolate the file from each service is time consuming and error-prone. I would suggest taking the time you spend doing that and spend it on trying to find a solution to the underlying problem.

Does anybody have some good links explaining some solutions to this 777 admin problem?

bumpaw, here is some advice. Switch domain hosts.

My previous domain host wasnt able to help me out so I switched and after that my scripts worked with 755 permissions and I didnt do anything different. I switched so they could help with my problem but after I switched I didnt even have the problem anymore.

By the way, I went with Westhost, who hosts WebmasterWorld.

My problem at present is not a site wide admin, but one for a newsletter. The designer of the script has it where you have to give full write access to admin. He spells it out clearly in the documentation. The directory is password protected, and until this thread I thought that was good. The host support is really good, and I'll see what they have to say.

doug,
As a follow up I am posting my support response for comments here:

777 permissions are needed so the script can write to these folders.
The webserver is running as user apache now.

Yes, it is not the most secure setup. However we are in process in upgrading the server software to suexec mode.

When running under suexec the script will be able to write to these folders regarding their permissions as it will run under your hosting user credentials.

If you'd like to disable access to these folders you can place a .htaccess files within them with the following line

deny from all

In this way they will not be accessible through the web.
Please note that your admin should be secure enough with the user/pass protection.

I just thought of something:

However, if they come in any other way, such as SSH or FTP or etc, then they have full access.

They would need a username and password for that too, right?

It very unsecure to leave directories with 777 permisions, since you will make room for cross-scripting attacks on your site and potentialy allowing access to other parts of your system.