Website folder permissions set to 777 whats the risk

[Kumagoro]

I have installed joomla for someone which went ok but I was unable to install any templates
components modules etc. In order for it to work I had to set some folder to 777 from 755.

This is a major pain in the arse if I have to then set them back to 755 again and again everytime
a module or whatever may need installing.

I know its poor security having them set to 777 but how exactly. How easy is it for someone to
access those folders and mess them up etc.

Any ideas why this needs to be done and doesnt work out of the box so to speak.

[Lucio]

Basically with the permissions set to 777, anyone can write to that folder, edit the folder contents or delete items in that folder.

In essence, it's an area of your webserver that anyone can do anything with.

[TiG]

If someone comes along and puts a virus or trojan up on your webserver and then rights some software to distribute a e-mail spam thing, they come to your web server pick up the virus and you are responsible for it, at least in part.

They are setup for read access only for a reason.

TiG

[directhex]

777 should be considered "writeable by anyone or anything"

so any user on the system can take over your website - security issue in your email server? there's a vector. kernel exploit? there's a vector. irc server? attack vector

any idea why so many compromised websites run linux? poor administration.

[cougarslam]

without an upload script on the web server how can someone write to the folder?

[peterb]

It depends where in your webserver root the directory lies. If it above the webserver root directory, the risk is smaller - if it is below the webserver root - then you are issuing a "Hi - come and hack my files - and by the way, please load some scripts and launch bot attacks from my system"

To clarify - assuming your web server root is /var/www/html

then anything below that needs to be suitably protected so /var/www/htm/my_super_web_site and any directories below that are vulnerable.

However anything above that is asf(er) so /vat/www/_my_games_templates is not accessible by the web server application.

If you are using Apache, there is a good section on security at the apache.org website.

[Kumagoro]

I already thought as much but was hoping somehow that it wasnt the case seeing as
I not to sure on web site stuff.

Anyone any idea why Joomla therefore doesnt work properly is it some setting on
the web hosts server. There is not much clear advice on the joomla forum and this
is just a massive flaw, but then will it be any better with other CMS's.

The host uses cpanel and fantastico maybe I will try and install mambo/joomla with
that and see if it works.


thanks for the replies.

[Kumagoro]

OK I just installed an older version of joomla via fantastico and the
folder I installed it in that folder is set to 0755.

However the folders inside such as cache, components, images, language, mambots,
media modules and templates are all 0777

The files in cache (no folders) are set to 0644
In Components all folders are 0755 and the file 0644
Inside images banners and stories are set to 0777 the others are 0755.
Then inside stories the folders are 0755 and files 0644.

Hopefully you can follow that lot.

So whats the score then? is it secure or not if I am why is it ok if not then what
the bejesus are they playing at.

[peterb]

If the top folder ihas a restricted set of permissions, Im fairly sure that restricts access to the lower folders.

I thought you wee elf hosting, but if you are using a hosting service, you may ant to discuss the security issues with them

[directhex]

If the top folder ihas a restricted set of permissions, Im fairly sure that restricts access to the lower folders.

I thought you wee elf hosting, but if you are using a hosting service, you may ant to discuss the security issues with them

therein lies the issue

if your webhost is shared with anyone else, chances are they can overwrite your site (e.g. with hax and phishing)

[Kumagoro]

The hosting is with some cheapo host.

so then does that mean it should be ok unless they have set it up all wrong.

[peterb]

That is something you need to discuss with them. Basically we don't know who the host is, what the set up (they may be giving you a virtual Machine - do you have root access and a shell account?) However if it is acheap and cheerful hostiong service, the answer is probably no (certainly to root access) - but only they can give you the answers and reassurances you need. Somke of the details may be in the T&Cs that you read and agreed to when you signed up to the service.

However they will be more anxious than you to ensure that your use of their service is not operated in a way to abuse the net - their reputation is at stake too - and they don't want their IP address(es) blacklisted. They will probably have measures in place to protect there systems from abuse by malconfiguration, but they won't really care if the malconfiguration puts your site at risk.

You have looiked at the Joomla website and read up any details on security configration - in addition to the apache website? (And if Joomla uses PHP - which it probably does - there are articles on security there as well.