Security impacts of chmod 777

[dirk_salewski]

Hello NG,

I'm a bit concerned about security on my providers servers, and I therefor wondered whether "chmod 777" during the install is really needed. Seems not - I successfully reduced it to 775 at first.

This probably depends on the group Your apache is running - wouldn't it be nice if the documentation went something like this:

Now You have to set some permissions. Very open permissions can result in serious security holes - we therefor strongly suggest to check once with 777 if the system works and then gradually start from 750 until it works again.

(Text needs to be polished, of course).

Greetings,

Dirk

[cyberman]

Hi Dirk,

thx for your hints.

How long do you want to install CMSms  ? I've checked with my stop watch and I've need not a minute for finishing.

And documentation suggest to set permission for config.php back to 444 after finishing. I think the security risk is low  .

Which files and directories have you checked with the suggested permissions ?

[tsw]

Its true 777 is a "works for everybody" direction.

If php is run with suphp or suexec its really not needed.

its just a matter of making things simple, if you know what you are doing you can use different permissions

[ljbadenz]

You CMS guys are *** deleted - see forum rules ***! 777 is wrong, 775 is better.

BEWARE ANYONE WHO FOLLOWS DOCUMENTATION AND SETS DIRECTORIES TO 777 RISKS BEING HACKED. IT CAN HAPPEN AS IT HAS ALREADY HAPPENED TO ME! HACKERS WILL UPLOAD FILES TO THOSE DIRECTORIES AND RUN PHISHING SITES FROM THEM. THIS COLD RESULT IN LEGAL ACTION AGAINST YOU FOR HAVING LACK SECURITY. WE HAVE NOW HAD THREE PHISING ATTEMPTS ON OUR WEBSITE VIA THIS AND IT ONLY DAWNED ON ME NOW.

DO NOT EVER SET TO 777!!!!

[tsw]

Installation instructions are "works for everybody".

depending on server settings you can ofcourse set these to whatever works for you.

and if you use a proper tone, please add your information in the wiki...

[ljbadenz]

and if you use a proper tone, please add your information in the wiki...

Have done so, if anyother references found to CHMOD 777, could you also add the info.

[bertmelis]

Setting the files and dirs to 777 is not the same as putting your website directly open for everyone!

I can give all my files a 777 chmod and chances an ordinary computerfreak could hack my site are still very small!

Unless someone can give me a clear explenation of how my site could be at danger, I will not do anything about the 777.

[kermit]

(Note: 777 has pontential security risks and may allow hackers to upload files to these directories to run phishing sites etc. If security of your web site is important, set it these folders to CHMOD 775 or tighter.)


the text added to the documentation by ljbadenz (above) isn't entirely accurate or applicable to most shared hosting environments. i wonder how many people who post questions involving file permissions issues in the forums have used 775 instead of 777  ?!?


This part (steps 4, and perhaps 5) needs to be rewritten for clarity and additional information. I've whipped up a draft here that anyone can butcher if they like before edits get posted to the Wiki. The one thing I need confirmed because I don't use Windows for anything I don't have to.. is the skipping to step 6 for Windows 100% accurate in all cases?


Step 4.

Note: If you are running on a Windows server, you can skip to Step 6, Database.

For CMS Made Simple to function properly, it needs to be able to write files to certain directories.

CHMOD is a tool on Linux (and other Unix-like) servers for setting file permissions. Most FTP clients allow you to "CHMOD" files (may be called 'file attributes'), so console or shell access is normally not required to change file permissions. Your hosting provider may also have a web-based file manager as part of its control panel (cPanel, H-Sphere, Plesk, etc) for this task.

Ask your hosting provider or server administrator what file permissions to use to ensure the web server process has write access to files and directories. If you are unsure, using 777 works for all cases, but may be a security risk as it allows full access to everyone who gains access to the server to those files or directories.

To ensure write access to directories in most Linux shared hosting environments, 777 are the permissions to use. You would use 666 to enable write access to an individual file. (The difference between a "6" and a "7" is the "execute" bit. A directory must be "executable" in order to be opened, but you don't normally want EVERY file to have this bit enabled, so you would use 666 for files instead.)

Once you've determined the correct permissions to use, CHMOD the following directories to enable write access for the web server process:

• tmp/templates_c
• tmp/cache
• uploads
• uploads/images
• modules

If you do have console or shell access to your web space, you can do this from the Linux command line (executed from your CMSMS site root):

chmod 777 tmp/templates_c tmp/cache uploads uploads/images modules

Tip: You can try running the CMSMS installer without changing file permissions, to see if your own permissions will work (i.e. PHP scripts are run under your own user account instead of the web server's). If they don't work and the installer complains about unwritable files or directories, that is usually a good indicator that 777 (for directories) and 666 (for individual files) need to be used.


Step 5.

CMS Made Simple uses a configuration file to store certain settings that cannot be stored in the database. This file is not included in the distribution archive; it is created during the installation process if the web server can write to the CMSMS site root. Since this isn't normally the case on a Linux shared hosting environment, we'll just create the file and make it writable by the web server process, which covers both possibilities. This also ensures that YOU "own" the file and not the web server (which might have denied your own user account full access to the file).

Using a text editor (not a word processor), create an empty file called "config.php" (without the quotes) and upload it to your CMSMS site root.

If you are running on a Linux (or other Unix-like) server, "config.php" needs to be writable by the web server process. For most shared hosting environments, this means CHMOD it to 666. Refer to step 4 for additional information about file permissions.

If you have console or shell access to your web space, you can do this from the Linux command line (executed from your CMSMS site root):

touch config.php
chmod 666 config.php

To create an empty file in Microsoft Windows, open Notepad to new, empty document and immediately choose File -> Save As. For a filename, use "config.php" (including the quotes, which ensures that the correct file extension ".php" is used instead of ".txt").