Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2006-09-20 19:56:14
- GPH
- New Member
- Registered: 2006-09-20
- Posts: 5
Do I have to Chmod 777?
Hi,
I have a 3 sites which use TP 2 are hosted with Host-A and the other with Host-B, the site on Host-B the image dir got hacked, the hacker had placed a index file with in it.
Now Host-B has told me it was due to the dir being chmod 777, now this has made me nervous so I’ve chmod all the sites with Host-A to 755, just in case. Obviously I get the error in the Diagnostic saying that the dirs (image & files) need to be writable and I’m unable to upload.
It planned before the hack that the site on Host-B was to be moved to another Host (-C), this has now been done and all is set-up. I’ve chmod the dir 755 but the strange thing is, I get no error message and I’m able to upload images & files!!
Both servers seem to be running the same spec apart from Host-C has ‘PHP Server API: cgi-fcgi’ and the OS seems to be newer?
Do I have to chmod 777 to upload the files? No other users are uploading.
Your thought are appreciated.
Thanks
Offline
Re: Do I have to Chmod 777?
The minimum file-system permissions that are necessary depend on how PHP is specifically configured at your host (i.e., what proces is running as which user, and whether open_baedir is set, and several other things can come into play). 777 is like a blank cheque that always works – the only risk you might (depending on how your host secured accounts fom each other) be opening yourself up to is what other customers on the same server might be doing to you. 777 does not give “hackers” from outside ny privileges.
The safest thing to do, if you are concerned, is to tell your host that you want php-scripts to write files to a directory, and ask them what minimum permissions you should give to that directory – they will be the ones that know best for your specific case.
Offline
#3 2006-09-20 22:11:46
- GPH
- New Member
- Registered: 2006-09-20
- Posts: 5
Re: Do I have to Chmod 777?
Thanks Spencer, so are you saying that the hacker could have been on the same server and that 777 doesn’t allow an outsider privileges to that dir?
One thing I did notice in the TP logs was in the page column was actual sites, and no these were not referrals!
Thanks again for the info.
Offline
#4 2006-09-20 23:16:50
- NyteOwl
- Member
- From: Nova Scotia, Canada
- Registered: 2005-09-24
- Posts: 539
Re: Do I have to Chmod 777?
When PHP is run as an Apache module it runs under the user id of the web server, usually ‘nobody’. In such cases files and directories it creates belong to nobody. In order to permit uploads by somone else the image directory needs to be 777. This does open the directory to potential abuse from another user (or exploited application) on the same server. It does not pose any risk from an outsider unless they have compromised the server or a user account in some manner.
Running PHP as CGI or fastCGI does not have this issue as the PHP is executed with the user’s privileges hence only they need write capability in the directory (755).
Obsolescence is just a lack of imagination. / 36-bits Forever! / #include <disclaimer.h>;
Offline
#5 2006-09-21 08:43:25
- GPH
- New Member
- Registered: 2006-09-20
- Posts: 5
Re: Do I have to Chmod 777?
Many thanks NyteOwl.
Both of you have helped.
Offline
Pages: 1