Welcome to WebmasterWorld Guest from 54.157.81.13

Forum Moderators: coopster & jatar k & phranque

Message Too Old, No Replies

777, how insecure it is?

     
10:44 pm on Jan 6, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 21, 2004
posts:369
votes: 0


I just installed Movable Type and to make it work, I have to set a blog's site root directory 777. I do not like 777 as it seems very insecure.

Shall I just keep it as it is (777) or switch to another CMS?

(By the way, if I change the owner of that directory to "apache", then the directory can be 755. does it make any difference?)

Thanks,

4:10 pm on Jan 8, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 12, 2005
posts:70
votes: 0


I'm no security expert, but I know that 777 is generally bad news (full read/write for any user/group) - but 755 is usually ok, as it gives full rwx only to the owner (apache). In any case it's definitely better than 777.
4:17 pm on Jan 8, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 29, 2002
posts:1954
votes: 0


You normally have to assign 777 to any directory/folder that can be manipulated by a script (adding/deleting/renaming of subdirectories/subfolders where script generated content is stored). I see no problem with this as it's quite common. It's the script files that need security...
1:11 am on Jan 9, 2008 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11031
votes: 95


apache-owned and 755 permissions would be way better than 777.
i would wonder why the server or MT needs write permission for the root directory.
it would be better to understand and solve the problem securely than to settle for whatever works first.
1:53 am on Jan 9, 2008 (gmt 0)

Senior Member from MY 

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 1, 2003
posts:4847
votes: 0


Your particular server setup will make a large difference to how much of a risk 777 is. A dedicated server with appropriate additional safety measures in place and a good chroot can make it acceptably safe for many people.
2:17 am on Jan 9, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 22, 2002
posts:2546
votes: 0


It's bad! You stand a good possibility of being hacked.

The good news is, if you can make Apache(nobody, 99) own the files or directories that get written to, then you can put the directories back to 755.

So, I've basically repeated what phranque said :)

Marty

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members