Directories With 777 Permissions - GoFuckYourself.com

Cyber Fucker · 11-23-2010, 08:35 PM

It's widely said that keeping directory with 777 permissions on the sever is a very bad idea. But sometimes various scripts blogs, forums, CMSes require to have one directory with 777 permissions for the purpose of uploading image files (for example avatars at forums) and this bothers me. How to secure this directory, is it even possible? Are there any other solutions to make such directory a bit safer? I've read that some people recommend to put it above public html directory in the root directory and then point it to the remote directory. Would it make it safe? Do you have any ideas how to ensure it's safe?

tonyparra · 11-23-2010, 08:58 PM

nothin is safe

Agent 488 · 11-23-2010, 09:01 PM

don't worry your pretty little head about it.

garce · 11-23-2010, 09:02 PM

666 works fine on all the evil blogs I run.

alias · 11-23-2010, 09:09 PM

Rollin 21.

Agent 488 · 11-23-2010, 09:09 PM

666 the permissions of the beast.

Cyber Fucker · 11-23-2010, 10:05 PM

Holly crap, I've asked about it at the wrong hour. All normal people are sleeping now and I should too.

directfiesta · 11-23-2010, 10:09 PM

Quote:

Originally Posted by Cyber Fucker

Holly crap, I've asked about it at the wrong hour. All normal people are sleeping now and I should too.

It is an issue .

For the basic safety, you can rename that directory to something very weird ( doing pointing changes accordingly ) : this helps for the kids looking for specific directory on specific scripts ...

baddog · 11-23-2010, 10:24 PM

Quote:

Originally Posted by directfiesta

It is an issue .

For the basic safety, you can rename that directory to something very weird ( doing pointing changes accordingly ) : this helps for the kids looking for specific directory on specific scripts ...

That is one possibility. You can move it to above the public_html and that will make it safer. You would have to research on the script to find out how to do it properly.

http://www.hackosis.com/10-ways-to-s...press-install/ has some securing information.

http://codex.wordpress.org/Hardening_WordPress

borked · 11-24-2010, 12:21 AM

Just make the owner of that directory the apache user

grumpy · 11-24-2010, 12:55 AM

use .htacsess and only give your script access

Cyber Fucker · 11-24-2010, 12:37 PM

Ok. I presume that putting it outside public html and linking is the way. But how to do that. How to link a symbolic directory within public html to the real directory outside in the root. Should I use ssh and

Code:

ln -s source_file link_name

or what?

Quote:

Originally Posted by borked

Just make the owner of that directory the apache user

But will then the users still be able to upload their images to that folder without any authentication?

It's all about letting users to upload their image files to this directory but nothing else, only images. That's why I guess 777 is required but 777 is said to be unsafe... and this all confuses me.

Cyber Fucker · 11-24-2010, 12:56 PM

Ok. I think I got it, now I need to check it all in practice.

Zyber · 11-24-2010, 01:43 PM

you should have a PHP script between the user and the server.

Let the PHP script store the image in a safe directory which noone can access from the web.

Then let the user request your PHP script, and let the PHP script deliver the image.

Full control, although at the cost of performance.

borked · 11-24-2010, 01:45 PM

Quote:

Originally Posted by Cyber Fucker

It's all about letting users to upload their image files to this directory but nothing else, only images. That's why I guess 777 is required but 777 is said to be unsafe... and this all confuses me.

Ah, ok yeah - I see the problem. Then making the apache user owner of this is not going to make the hole go away. The theory behind this hole is someone could upload something that avoids your "image only" protection script and then can simply call their file (ie malicious script) directly from a web page that will run as the apache user.

As grumpy suggested, protect that 777 directory with a .htaccess file:

Order deny,allow
Deny from all

then noone can access anything uploaded to that directory, yet your scripts can still process them

Or move the entire directory (no links, cos that defeats the purpose) outside the doc root.

Cyber Fucker · 11-24-2010, 02:07 PM

Ok. thank you for taking time to post your answers!

I will combine a few methods to make possibly the most secured solution of this unsecured thing.
I think that most people don't do something like this and they don't care that they have directory with 777 permissions. But I'm always paranoid about the security but I guess it's good to be a bit paranoid after all.

Davy · 11-24-2010, 03:38 PM

Quote:

Originally Posted by Cyber Fucker

How to secure this directory, is it even possible?

It depends on how your apache server is set up. If it runs with the same owner/usergroup as your scripts, you do not need the 0777 permissions.

11-23-2010, 08:35 PM	#1
Cyber Fucker Hmm Industry Role: Join Date: Sep 2005 Location: On an endless road around the world for rock and roll. Posts: 12,642	Directories With 777 Permissions It's widely said that keeping directory with 777 permissions on the sever is a very bad idea. But sometimes various scripts blogs, forums, CMSes require to have one directory with 777 permissions for the purpose of uploading image files (for example avatars at forums) and this bothers me. How to secure this directory, is it even possible? Are there any other solutions to make such directory a bit safer? I've read that some people recommend to put it above public html directory in the root directory and then point it to the remote directory. Would it make it safe? Do you have any ideas how to ensure it's safe? __________________

11-23-2010, 08:58 PM	#2
tonyparra Confirmed User Industry Role: Join Date: Jul 2008 Location: In your back seat with duck tape Posts: 4,568	nothin is safe __________________ High Performance Vps $10 Linode Manage your Digital Ocean, Linode, or Favorite Cloud Server. Simple, fast, and secure Server Pilot

11-23-2010, 09:09 PM	#5
alias aliasx Join Date: Apr 2001 Posts: 19,010	Rollin 21. __________________ https://porncorporation.com

11-23-2010, 10:05 PM	#7
Cyber Fucker Hmm Industry Role: Join Date: Sep 2005 Location: On an endless road around the world for rock and roll. Posts: 12,642	Holly crap, I've asked about it at the wrong hour. All normal people are sleeping now and I should too. __________________

11-24-2010, 12:21 AM	#10
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	Just make the owner of that directory the apache user __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

11-23-2010, 09:01 PM	#3
Agent 488 Registered User Industry Role: Join Date: Feb 2006 Posts: 22,511	don't worry your pretty little head about it.

11-23-2010, 09:02 PM	#4
garce Confirmed User Industry Role: Join Date: Oct 2001 Location: Toronto Posts: 7,103	666 works fine on all the evil blogs I run.

11-24-2010, 12:55 AM	#11
grumpy Too lazy to set a custom title Join Date: Jan 2002 Location: Holland Posts: 9,870	use .htacsess and only give your script access __________________ Don't let greediness blur your vision \| You gotta let some shit slide icq - 441-456-888

11-24-2010, 12:56 PM	#13
Cyber Fucker Hmm Industry Role: Join Date: Sep 2005 Location: On an endless road around the world for rock and roll. Posts: 12,642	Ok. I think I got it, now I need to check it all in practice. __________________

11-24-2010, 01:43 PM	#14
Zyber Confirmed User Industry Role: Join Date: Aug 2001 Posts: 832	you should have a PHP script between the user and the server. Let the PHP script store the image in a safe directory which noone can access from the web. Then let the user request your PHP script, and let the PHP script deliver the image. Full control, although at the cost of performance.

11-24-2010, 02:07 PM	#16
Cyber Fucker Hmm Industry Role: Join Date: Sep 2005 Location: On an endless road around the world for rock and roll. Posts: 12,642	Ok. thank you for taking time to post your answers! I will combine a few methods to make possibly the most secured solution of this unsecured thing. I think that most people don't do something like this and they don't care that they have directory with 777 permissions. But I'm always paranoid about the security but I guess it's good to be a bit paranoid after all. __________________ Last edited by Cyber Fucker; 11-24-2010 at 02:09 PM..