Why shouldn't /var/www have chmod 777

1

777 is a bad permission in general and I'll show you why.

Despite how it may look in a Casino or Las Vegas, 777 doesn't mean jackpot for you. Rather, jackpot for anyone who wishes to modify your files. 777 (and its ugly cousin 666) allow Read and Write permissions (and in the case of 777, Execute) to other. You can learn more about how file permissions work, but in short there are three groups of permissions: owner, group, and other. By setting the permission to 6 or 7 (rw- or rwx) for other you give any user the ability to edit and manipulate those files and folders. Typically, as you can imagine, this is bad for security.

Here's my example:

marco@desktop:~/Projects/AskUbuntu/20105$ cd .. marco@desktop:~/Projects/AskUbuntu$ chmod 0777 20105 marco@desktop:~/Projects/AskUbuntu$ cd 20105/ marco@desktop:~/Projects/AskUbuntu/20105$ ls -lah total 8.0K drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:32 . drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 .....
0 0
2

If you are a Linux user, or a webmaster managing your own website (which is probably hosted on a Linux server), you will surely come across a situation when you try to upload a file or modify a document and receive the error “You do not have the permissions to upload file to the folder“. And after some googling, the solution is often as easy as setting the file permission to “775” or “777”. So what exactly does “777” mean? And why must it be ‘7’, and not ‘8’ or ‘9’?

Unix systems (including Linux and Mac OS X) come with a file control mechanism to determine who can access a particular file or folder and what actions they can do to it. There are two parts to the file control mechanism, namely Classes and Permissions. Classes determines who can access the file while the Permissions determines the kind of action the user can do to the file.

There are three Classes – Owner, Group, Others.

The Owner is the usually the creator of the files/folders. In Linux, files or...
0 0
3

Alright, so say I tell you that to have attachments work properly, your attachment folder needs to be 777. The first thing people ask me is...

- Isn't this a security risk?
The short answer is: no, not really... it isn't. Keep reading for the long answer.

- So, what, you're saying EVERYTHING should be 777?!?
Not hardly. Just some things in the forum's directory. Not, of course, that you should do so with the entire directory - but it won't matter much if you do, so long as your server is configured reasonably correctly.

- But... wait a minute. The three numbers stand for "Owner," "Group," and "Everyone." Doesn't that mean anyone can write to the files if I make it 777? (writable by all!?)
Well, technically, yes. But, the person first has to get into your server and be able to touch the file in the first place. They also have to have access to the directory the file is in, and the directory that file is in. At some point, you should have a...

0 0
4

@saiful
It have been finished already.

You can re-download it, revision 618

Here is the changes:

public static $securityHtAccess = true;

It default set as true, .htaccess files will be created automatic under cache folder. No one can send request to download or run from outside, except local users from 127.0.0.1 - Make sure you enable AllowOverride All in Apache Virtual Host for .htaccess ( most of the host enabled this as default )

Here is the .htaccess content that I have used:

order deny, allow deny from all allow from 127.0.0.1

For users who are running PHP as MOD PHP5 / Apache2Handler, right now don't need to chmod 0777 anymore, /tmp dir will be used as default. If you don't want to use /tmp dir, simple change $path to somewhere and chmod 0777 manual.

Here is the code I have used to check tmp dir

// revision 618 if(self::isPHPModule()) { $tmp_dir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir(); ...
0 0
5

As has been stated in other answers, the three numbers determine access permission in this order:

the owner (match UID) members of the files' GID (excluding the owner) any UID not covered by the previous two specifications.

So you can have a file that actually grants more access to people other than the group or owner of the file:

[dave@store01 tmp]$ touch this [dave@store01 tmp]$ sudo chmod 007 this [dave@store01 tmp]$ ls -l this -------rwx 1 dave users 0 Jan 20 22:15 this [dave@store01 tmp]$ cat this cat: this: Permission denied

The exception to this is root. Any file that root has root control over can't be denied to root(*).

[root@store01 tmp]# touch that [root@store01 tmp]# chmod 007 that [root@store01 tmp]# ls -l that -------rwx 1 root root 0 Jan 20 22:17 that [root@store01 tmp]# cat that [root@store01 tmp]#

In your specific case, chmod'ing the directory to 777 will mean that anyone who can access the directory will have full access to everything. It may...

0 0
6

Just to state the obvious for anyone viewing this discussion.... if you give any of your folders 777 permissions, you are allowing ANYONE to read, write and execute any file in that directory.... what this means is you have given ANYONE (any hacker or malicious person in the entire world) permission to upload ANY file, virus or any other file, and THEN execute that file...

IF YOU ARE SETTING YOUR FOLDER PERMISSIONS TO 777 YOU HAVE OPENED YOUR SERVER TO ANYONE THAT CAN FIND THAT DIRECTORY. Clear enough??? :)

What bashy says above is absolutely correct, although not totally complete.

The NORMAL way to set permissions is to have your files owned by the webserver:

sudo chown -R www-data:www-data /path/to/your/root/directory

if you do that, the webserver owns all the files, and is also the group, and you will have some problems uploading files or working with files via FTP, because your FTP client will be logged in as you, not your webserver, so add your...

0 0
7

I just moved some screenshots from the admin's "my pictures" to the all users (shared) folder using the command line. However, they are still set to be only readable by the admin. I don't recall which files are which now (though I have a good guess).

What would be the windows equivalent of the Linux command

CHMOD 777 *.*

aka

chmod a+rwx *.*

Yes, I could go through each file one at a time, but I got an error trying to select all files in the directory so I could assign this permission en mass. I want to assign full control to either "everyone", "users", or "authenticated users" (don't really care which, since they're mostly screenshots that I've uploaded to flicker to post on public boards like this).

I could have sworn there was something like this, but it might have been only for Server 2008R2. I can't remember when I heard of it. The files are on a hardened laptop running Windows XP Professional SP3.

If it is only...

0 0
8
...
0 0
9

You need to do a recursive chmod, to affect all of the files and subdirectories contained within data/private and data/public:

chmod -R 777 /var/www/html/freechat/private chmod -R 777 /var/www/html/freechat/public

Now, having said, that, you should NOT be using mode 777. Especially if anyone other than you has a login account on that server. 777 means world read-, write-, and executable. Essentially, any user on your system can read, write, delete, or otherwise mess with those files.

At minimum, you ought to change that to mode 774, which means that only the user and group (which are both root at the moment) can write the files, but any user can read them.

Ideally, you would also make the files all owned by the same non-root user that runs the freechat software, and only give that user/group read/write permission.

At minimum, change your mode to 770, so that only the root user and root group have...

0 0
10

History explains why the octal modes exist, but I think functionality is the reason why the mnemonic form exists. And all the points about other tools using exclusively octal modes are perfectly valid and I think you have to learn and know them. Nevertheless I find that conservative admins don't see the true utility that comes from the mnemonic form.

The octal form, especially when used recursively, tends to force admins to do stupid things. Or rather added negligence results in it turning out stupid. Whenever you run across some folder with a lot of text files and the x bit set, you have proof.

Why would anyone set the x bit like that? Because it's difficult not to unless you use the mnemonic form for modes. Consider that you want to reset the permissions on /var/www and you don't run any old-style CGI, so the x bit should be removed. However, the x bit serves another purpose on directories. So you end up doing something (as root) like:

chmod -R 666 /var/www find...
0 0
11

When developing a page on a localhost, I sometimes get a "Permission denied" error which I can solve by running chmod -R 777 /var/www. However, people are telling me that this is a bad idea for security reasons.

Why shouldn't /var/www have a chmod of 777?

777 is a bad permission in general and I'll show you why.

Despite how it may look in a Casino or Las Vegas, 777 doesn't mean jackpot for you. Rather, jackpot for anyone who wishes to modify your files. 777 (and its ugly cousin 666) allow Read and Write permissions (and in the case of 777, Execute) to other. You can learn more about how file permissions work, but in short there are three groups of permissions: owner, group, and other. By setting the permission to 6 or 7 (rw- or rwx) for other you give any user the ability to edit and manipulate those files and folders. Typically, as you can imagine, this is bad for security.

Here's my example:

marco@desktop:~/Projects/AskUbuntu/20105$ cd .....
0 0