Results 1 to 12 of 12

Thread: Website folder permissions set to 777 whats the risk

  1. #1
    Goron goron Kumagoro's Avatar
    Join Date
    Mar 2004
    Posts
    3,154
    Thanks
    38
    Thanked
    172 times in 140 posts

    Website folder permissions set to 777 whats the risk

    I have installed joomla for someone which went ok but I was unable to install any templates
    components modules etc. In order for it to work I had to set some folder to 777 from 755.

    This is a major pain in the arse if I have to then set them back to 755 again and again everytime
    a module or whatever may need installing.

    I know its poor security having them set to 777 but how exactly. How easy is it for someone to
    access those folders and mess them up etc.

    Any ideas why this needs to be done and doesnt work out of the box so to speak.

  2. #2
    Mostly Me Lucio's Avatar
    Join Date
    Mar 2007
    Location
    Tring
    Posts
    5,163
    Thanks
    443
    Thanked
    445 times in 348 posts
    • Lucio's system
      • Motherboard:
      • Gigabyte GA-970A-UD3P
      • CPU:
      • AMD FX-6350 with Cooler Master Seldon 240
      • Memory:
      • 2x4GB Corsair DDR3 Vengeance
      • Storage:
      • 128GB Toshiba, 2.5" SSD, 1TB WD Blue WD10EZEX, 500GB Seagate Baracuda 7200.11
      • Graphics card(s):
      • Sapphire R9 270X 4GB
      • PSU:
      • 600W Silverstone Strider SST-ST60F
      • Case:
      • Cooler Master HAF XB
      • Operating System:
      • Windows 8.1 64Bit
      • Monitor(s):
      • Samsung 2032BW, 1680 x 1050
      • Internet:
      • 16Mb Plusnet

    Re: Website folder permissions set to 777 whats the risk

    Basically with the permissions set to 777, anyone can write to that folder, edit the folder contents or delete items in that folder.

    In essence, it's an area of your webserver that anyone can do anything with.

    (\___/) (\___/) (\___/) (\___/) (\___/) (\___/) (\___/)
    (='.'=) (='.'=) (='.'=) (='.'=) (='.'=) (='.'=) (='.'=)
    (")_(") (")_(") (")_(") (")_(") (")_(") (")_(") (")_(")


    This is bunny and friends. He is fed up waiting for everyone to help him out, and decided to help himself instead!

  3. #3
    TiG
    TiG is offline
    Walk a mile in other peoples shoes...
    Join Date
    Jul 2003
    Location
    Questioning it all
    Posts
    6,213
    Thanks
    43
    Thanked
    47 times in 42 posts

    Re: Website folder permissions set to 777 whats the risk

    If someone comes along and puts a virus or trojan up on your webserver and then rights some software to distribute a e-mail spam thing, they come to your web server pick up the virus and you are responsible for it, at least in part.

    They are setup for read access only for a reason.

    TiG
    -- Hexus Meets Rock! --

  4. #4
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,026 times in 677 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS

    Re: Website folder permissions set to 777 whats the risk

    777 should be considered "writeable by anyone or anything"

    so any user on the system can take over your website - security issue in your email server? there's a vector. kernel exploit? there's a vector. irc server? attack vector

    any idea why so many compromised websites run linux? poor administration.

  5. #5
    Custom User Title
    Join Date
    Oct 2005
    Location
    Wirral UK
    Posts
    1,168
    Thanks
    10
    Thanked
    14 times in 14 posts
    • cougarslam's system
      • Motherboard:
      • Asus Maximus Formula SE (ROG)
      • CPU:
      • Core 2 Duo E6600 @ 3ghz
      • Memory:
      • 4gb Corsair DDR2
      • Storage:
      • 1TB
      • Graphics card(s):
      • BFG Nvidia 8800GT OC 512MB
      • PSU:
      • Corsair HX520
      • Case:
      • Zorro
      • Operating System:
      • Vista Business 32
      • Monitor(s):
      • 2 x 17" crt
      • Internet:
      • adsl max (entanet)

    Re: Website folder permissions set to 777 whats the risk

    without an upload script on the web server how can someone write to the folder?

  6. #6
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Website folder permissions set to 777 whats the risk

    It depends where in your webserver root the directory lies. If it above the webserver root directory, the risk is smaller - if it is below the webserver root - then you are issuing a "Hi - come and hack my files - and by the way, please load some scripts and launch bot attacks from my system"

    To clarify - assuming your web server root is /var/www/html

    then anything below that needs to be suitably protected so /var/www/htm/my_super_web_site and any directories below that are vulnerable.

    However anything above that is asf(er) so /vat/www/_my_games_templates is not accessible by the web server application.

    If you are using Apache, there is a good section on security at the apache.org website.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  7. #7
    Goron goron Kumagoro's Avatar
    Join Date
    Mar 2004
    Posts
    3,154
    Thanks
    38
    Thanked
    172 times in 140 posts

    Re: Website folder permissions set to 777 whats the risk

    I already thought as much but was hoping somehow that it wasnt the case seeing as
    I not to sure on web site stuff.

    Anyone any idea why Joomla therefore doesnt work properly is it some setting on
    the web hosts server. There is not much clear advice on the joomla forum and this
    is just a massive flaw, but then will it be any better with other CMS's.

    The host uses cpanel and fantastico maybe I will try and install mambo/joomla with
    that and see if it works.


    thanks for the replies.
    Last edited by Kumagoro; 18-03-2008 at 10:10 PM.

  8. #8
    Goron goron Kumagoro's Avatar
    Join Date
    Mar 2004
    Posts
    3,154
    Thanks
    38
    Thanked
    172 times in 140 posts

    Re: Website folder permissions set to 777 whats the risk

    OK I just installed an older version of joomla via fantastico and the
    folder I installed it in that folder is set to 0755.

    However the folders inside such as cache, components, images, language, mambots,
    media modules and templates are all 0777

    The files in cache (no folders) are set to 0644
    In Components all folders are 0755 and the file 0644
    Inside images banners and stories are set to 0777 the others are 0755.
    Then inside stories the folders are 0755 and files 0644.

    Hopefully you can follow that lot.

    So whats the score then? is it secure or not if I am why is it ok if not then what
    the bejesus are they playing at.

  9. #9
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Website folder permissions set to 777 whats the risk

    If the top folder ihas a restricted set of permissions, Im fairly sure that restricts access to the lower folders.

    I thought you wee elf hosting, but if you are using a hosting service, you may ant to discuss the security issues with them
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  10. #10
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,026 times in 677 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS

    Re: Website folder permissions set to 777 whats the risk

    Quote Originally Posted by peterb View Post
    If the top folder ihas a restricted set of permissions, Im fairly sure that restricts access to the lower folders.

    I thought you wee elf hosting, but if you are using a hosting service, you may ant to discuss the security issues with them
    therein lies the issue

    if your webhost is shared with anyone else, chances are they can overwrite your site (e.g. with hax and phishing)

  11. #11
    Goron goron Kumagoro's Avatar
    Join Date
    Mar 2004
    Posts
    3,154
    Thanks
    38
    Thanked
    172 times in 140 posts

    Re: Website folder permissions set to 777 whats the risk

    The hosting is with some cheapo host.

    so then does that mean it should be ok unless they have set it up all wrong.

  12. #12
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Website folder permissions set to 777 whats the risk

    That is something you need to discuss with them. Basically we don't know who the host is, what the set up (they may be giving you a virtual Machine - do you have root access and a shell account?) However if it is acheap and cheerful hostiong service, the answer is probably no (certainly to root access) - but only they can give you the answers and reassurances you need. Somke of the details may be in the T&Cs that you read and agreed to when you signed up to the service.

    However they will be more anxious than you to ensure that your use of their service is not operated in a way to abuse the net - their reputation is at stake too - and they don't want their IP address(es) blacklisted. They will probably have measures in place to protect there systems from abuse by malconfiguration, but they won't really care if the malconfiguration puts your site at risk.

    You have looiked at the Joomla website and read up any details on security configration - in addition to the apache website? (And if Joomla uses PHP - which it probably does - there are articles on security there as well.
    Last edited by peterb; 21-03-2008 at 05:06 PM.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 63
    Last Post: 14-11-2011, 09:17 AM
  2. Replies: 7
    Last Post: 19-02-2008, 09:28 PM
  3. Share & Folder Permissions
    By RECOiLâ„¢ in forum Software
    Replies: 3
    Last Post: 12-09-2007, 11:08 AM
  4. Netscreen 5-GT configuring resilience
    By jez_convergence in forum Networking and Broadband
    Replies: 4
    Last Post: 23-08-2007, 02:31 PM
  5. Website / Name Purchasing and Hosting (Help)
    By muddyfox470 in forum Software
    Replies: 8
    Last Post: 08-07-2005, 03:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •