Directories With 777 Permissions

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Cyber Fucker
    Hmm
    • Sep 2005
    • 12642

    #1

    Directories With 777 Permissions

    It's widely said that keeping directory with 777 permissions on the sever is a very bad idea. But sometimes various scripts blogs, forums, CMSes require to have one directory with 777 permissions for the purpose of uploading image files (for example avatars at forums) and this bothers me. How to secure this directory, is it even possible? Are there any other solutions to make such directory a bit safer? I've read that some people recommend to put it above public html directory in the root directory and then point it to the remote directory. Would it make it safe? Do you have any ideas how to ensure it's safe?
  • tonyparra
    Confirmed User
    • Jul 2008
    • 4568

    #2
    nothin is safe

    High Performance Vps $10 Linode
    Manage your Digital Ocean, Linode, or Favorite Cloud Server. Simple, fast, and secure Server Pilot

    Comment

    • Agent 488
      Registered User
      • Feb 2006
      • 22511

      #3
      don't worry your pretty little head about it.

      Comment

      • garce
        Confirmed User
        • Oct 2001
        • 7103

        #4
        666 works fine on all the evil blogs I run.

        Comment

        • alias
          aliasx
          • Apr 2001
          • 19010

          #5
          Rollin 21.
          https://porncorporation.com

          Comment

          • Agent 488
            Registered User
            • Feb 2006
            • 22511

            #6
            666 the permissions of the beast.

            Comment

            • Cyber Fucker
              Hmm
              • Sep 2005
              • 12642

              #7
              Holly crap, I've asked about it at the wrong hour. All normal people are sleeping now and I should too.

              Comment

              • directfiesta
                Too lazy to set a custom title
                • Oct 2002
                • 30137

                #8
                Originally posted by Cyber Fucker
                Holly crap, I've asked about it at the wrong hour. All normal people are sleeping now and I should too.
                It is an issue .

                For the basic safety, you can rename that directory to something very weird ( doing pointing changes accordingly ) : this helps for the kids looking for specific directory on specific scripts ...
                I know that Asspimple is stoopid ... As he says, it is a FACT !

                But I can't figure out how he can breathe or type , at the same time ....

                Comment

                • baddog
                  So Fucking Banned
                  • Apr 2001
                  • 107089

                  #9
                  Originally posted by directfiesta
                  It is an issue .

                  For the basic safety, you can rename that directory to something very weird ( doing pointing changes accordingly ) : this helps for the kids looking for specific directory on specific scripts ...
                  That is one possibility. You can move it to above the public_html and that will make it safer. You would have to research on the script to find out how to do it properly.

                  http://www.hackosis.com/10-ways-to-s...press-install/ has some securing information.

                  http://codex.wordpress.org/Hardening_WordPress

                  Comment

                  • borked
                    Totally Borked
                    • Feb 2005
                    • 6284

                    #10
                    Just make the owner of that directory the apache user

                    For coding work - hit me up on andy // borkedcoder // com
                    (consider figuring out the email as test #1)



                    All models are wrong, but some are useful. George E.P. Box. p202

                    Comment

                    • grumpy
                      Too lazy to set a custom title
                      • Jan 2002
                      • 9870

                      #11
                      use .htacsess and only give your script access
                      Don't let greediness blur your vision | You gotta let some shit slide
                      icq - 441-456-888

                      Comment

                      • Cyber Fucker
                        Hmm
                        • Sep 2005
                        • 12642

                        #12
                        Ok. I presume that putting it outside public html and linking is the way. But how to do that. How to link a symbolic directory within public html to the real directory outside in the root. Should I use ssh and
                        Code:
                        ln -s source_file link_name
                        or what?
                        Originally posted by borked
                        Just make the owner of that directory the apache user
                        But will then the users still be able to upload their images to that folder without any authentication?

                        It's all about letting users to upload their image files to this directory but nothing else, only images. That's why I guess 777 is required but 777 is said to be unsafe... and this all confuses me.

                        Comment

                        • Cyber Fucker
                          Hmm
                          • Sep 2005
                          • 12642

                          #13
                          Ok. I think I got it, now I need to check it all in practice.

                          Comment

                          • Zyber
                            Confirmed User
                            • Aug 2001
                            • 832

                            #14
                            you should have a PHP script between the user and the server.

                            Let the PHP script store the image in a safe directory which noone can access from the web.

                            Then let the user request your PHP script, and let the PHP script deliver the image.

                            Full control, although at the cost of performance.

                            Comment

                            • borked
                              Totally Borked
                              • Feb 2005
                              • 6284

                              #15
                              Originally posted by Cyber Fucker
                              It's all about letting users to upload their image files to this directory but nothing else, only images. That's why I guess 777 is required but 777 is said to be unsafe... and this all confuses me.
                              Ah, ok yeah - I see the problem. Then making the apache user owner of this is not going to make the hole go away. The theory behind this hole is someone could upload something that avoids your "image only" protection script and then can simply call their file (ie malicious script) directly from a web page that will run as the apache user.

                              As grumpy suggested, protect that 777 directory with a .htaccess file:

                              Order deny,allow
                              Deny from all


                              then noone can access anything uploaded to that directory, yet your scripts can still process them

                              Or move the entire directory (no links, cos that defeats the purpose) outside the doc root.

                              For coding work - hit me up on andy // borkedcoder // com
                              (consider figuring out the email as test #1)



                              All models are wrong, but some are useful. George E.P. Box. p202

                              Comment

                              • Cyber Fucker
                                Hmm
                                • Sep 2005
                                • 12642

                                #16
                                Ok. thank you for taking time to post your answers!
                                I will combine a few methods to make possibly the most secured solution of this unsecured thing.
                                I think that most people don't do something like this and they don't care that they have directory with 777 permissions. But I'm always paranoid about the security but I guess it's good to be a bit paranoid after all.
                                Last edited by Cyber Fucker; 11-24-2010, 12:09 PM.

                                Comment

                                • Davy
                                  Confirmed User
                                  • Apr 2006
                                  • 4323

                                  #17
                                  Originally posted by Cyber Fucker
                                  How to secure this directory, is it even possible?
                                  It depends on how your apache server is set up. If it runs with the same owner/usergroup as your scripts, you do not need the 0777 permissions.
                                  ---
                                  ICQ 14-76-98 <-- I don't use this at all

                                  Comment

                                  Working...