Directories With 777 Permissions
 

It's widely said that keeping directory with 777 permissions on the sever is a very bad idea. But sometimes various scripts blogs, forums, CMSes require to have one directory with 777 permissions for the purpose of uploading image files (for example avatars at forums) and this bothers me. How to secure this directory, is it even possible? Are there any other solutions to make such directory a bit safer? I've read that some people recommend to put it above public html directory in the root directory and then point it to the remote directory. Would it make it safe? Do you have any ideas how to ensure it's safe? :helpme

nothin is safe

don't worry your pretty little head about it.

666 works fine on all the evil blogs I run.

Rollin 21.

666 the permissions of the beast.

Holly crap, I've asked about it at the wrong hour. All normal people are sleeping now and I should too.

It is an issue .

For the basic safety, you can rename that directory to something very weird ( doing pointing changes accordingly ) : this helps for the kids looking for specific directory on specific scripts ...

That is one possibility. You can move it to above the public_html and that will make it safer. You would have to research on the script to find out how to do it properly.

http://www.hackosis.com/10-ways-to-s...press-install/ has some securing information.

http://codex.wordpress.org/Hardening_WordPress

Just make the owner of that directory the apache user

use .htacsess and only give your script access

Ok. I presume that putting it outside public html and linking is the way. But how to do that. How to link a symbolic directory within public html to the real directory outside in the root. Should I use ssh and or what? :helpme But will then the users still be able to upload their images to that folder without any authentication?

It's all about letting users to upload their image files to this directory but nothing else, only images. That's why I guess 777 is required but 777 is said to be unsafe... and this all confuses me.

Ok. I think I got it, now I need to check it all in practice.

you should have a PHP script between the user and the server.

Let the PHP script store the image in a safe directory which noone can access from the web.

Then let the user request your PHP script, and let the PHP script deliver the image.

Full control, although at the cost of performance.

Ah, ok yeah - I see the problem. Then making the apache user owner of this is not going to make the hole go away. The theory behind this hole is someone could upload something that avoids your "image only" protection script and then can simply call their file (ie malicious script) directly from a web page that will run as the apache user.

As grumpy suggested, protect that 777 directory with a .htaccess file:

Order deny,allow
Deny from all


then noone can access anything uploaded to that directory, yet your scripts can still process them

Or move the entire directory (no links, cos that defeats the purpose) outside the doc root.

Ok. thank you for taking time to post your answers! :thumbsup
I will combine a few methods to make possibly the most secured solution of this unsecured thing.
I think that most people don't do something like this and they don't care that they have directory with 777 permissions. But I'm always paranoid about the security but I guess it's good to be a bit paranoid after all.

It depends on how your apache server is set up. If it runs with the same owner/usergroup as your scripts, you do not need the 0777 permissions.