Just wondering about permissions

Random things go here

Just wondering about permissions

Post by hotlynks on Fri Nov 25, 2016 5:06 pm
([msg=93136]see Just wondering about permissions[/msg])

I have a directory I had to chmod to 777 can other people upload files to this directory and if so how would they do it?

-- Mon Nov 28, 2016 7:51 pm --

Someone had told me they could do it threw ftp but you can't connect threw ftp unless you have the user name and password to the ftp account but if they had that the chmod would be irrelevant because they could write to all your directories if they had that info , so im adding the url to a writable directory and give everyone permission to try and upload their files to it.

http://findmedia.dx.am/chmod_777/
I think youtube hates me
User avatar
hotlynks
New User
New User
 
Posts: 4
Joined: Wed Mar 30, 2016 10:40 am
Blog: View Blog (0)


Re: Just wondering about permissions

Post by -Ninjex- on Tue Nov 29, 2016 2:05 am
([msg=93140]see Re: Just wondering about permissions[/msg])

That someone was partially correct, but not entirely. The executable bit can play a huge factor, too and depending on your design could cause a serious security issue. Let's assume you have a website with an upload form, that is saving images in a /uploads directory with 777 permissions. If I was to upload an executable script to your server as "evil_img.jpg", the server would run the executable regardless of the image extension. In some cases with extension checks, it can be bypassed as well. When you give something 777, you're pretty much a sitting duck waiting for someone to come wreck your box. In almost all cases (99.99% of them), you will never need to use 777 permissions anyway.
This isn't only a risk specifically from the website, either. If there is another user on the box, let's say a guest account with the name "guest"; they will be able to 777 all over that shit, meaning they can change the content, remove it, or do whatever else they please with it. Imagine your profile image being changed to a picture of Miley Cyrus on a wrecking ball from someone on a guest account...

* IMAGE FOR REALIZATION OF THE PROBLEM *
Image
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Just wondering about permissions

Post by ghostheadx2 on Thu Dec 08, 2016 11:29 pm
([msg=93167]see Re: Just wondering about permissions[/msg])

@Ninjex, that's some hell of an analogy you got there.

@hotlynks, 777 is the dumbest permissions you can make anything. Make it 744 so that other users can only read and execute the files, but you can do whatever you want to it. That's the wiser choice
ghostheadx2
Contributor
Contributor
 
Posts: 728
Joined: Wed Nov 19, 2014 1:19 am
Blog: View Blog (0)



Return to Off-Topic

Who is online

Users browsing this forum: No registered users and 0 guests