Page 1 of 1

Just wondering about permissions

PostPosted: Fri Nov 25, 2016 5:06 pm
by hotlynks
I have a directory I had to chmod to 777 can other people upload files to this directory and if so how would they do it?

-- Mon Nov 28, 2016 7:51 pm --

Someone had told me they could do it threw ftp but you can't connect threw ftp unless you have the user name and password to the ftp account but if they had that the chmod would be irrelevant because they could write to all your directories if they had that info , so im adding the url to a writable directory and give everyone permission to try and upload their files to it.

Re: Just wondering about permissions

PostPosted: Tue Nov 29, 2016 2:05 am
by -Ninjex-
That someone was partially correct, but not entirely. The executable bit can play a huge factor, too and depending on your design could cause a serious security issue. Let's assume you have a website with an upload form, that is saving images in a /uploads directory with 777 permissions. If I was to upload an executable script to your server as "evil_img.jpg", the server would run the executable regardless of the image extension. In some cases with extension checks, it can be bypassed as well. When you give something 777, you're pretty much a sitting duck waiting for someone to come wreck your box. In almost all cases (99.99% of them), you will never need to use 777 permissions anyway.
This isn't only a risk specifically from the website, either. If there is another user on the box, let's say a guest account with the name "guest"; they will be able to 777 all over that shit, meaning they can change the content, remove it, or do whatever else they please with it. Imagine your profile image being changed to a picture of Miley Cyrus on a wrecking ball from someone on a guest account...


Re: Just wondering about permissions

PostPosted: Thu Dec 08, 2016 11:29 pm
by ghostheadx2
@Ninjex, that's some hell of an analogy you got there.

@hotlynks, 777 is the dumbest permissions you can make anything. Make it 744 so that other users can only read and execute the files, but you can do whatever you want to it. That's the wiser choice