0

I am trying to understand how giving 777 permission to folders or files works. I did some research and understand that 777 permission is not the best when it comes for security. Referring to Web application directories/files.

I do understand first sets of number which are the owners and groups, However I would like to clarify giving 7 permission to others. Who are the others, users within the server? Or anyone (even public users who access the website through the browsers)? And how others and what type of threat can others cause if the website folder/file had 777 permission?

And is there certain circumstances where it's ok to give 777 permission to folders/files, such as example of images, anything more out there?

womble
  • 98,245
CodeDoctor
  • 9

3 Answers3

2

Who are the others, users within the server?

Others are non system users not accounted for by owner and/or group. Public users e.g. people browsing, access the files on the system via a process e.g. apache httpd. The process is owned by a user and access is granted to the files based on the permissions that are relevant to the users at the time of access.

And is there certain circumstances where it's ok to give 777 permission to folders/files, such as example of images, anything more out there?

On a properly configured system, very few if any files will need to be 777. The principal of least privilege should apply at all times. Why, for example, would you want to give execute permission on an image when it is not executable? Why would you give other write access to an executable?

user9517
  • 117,122
1

Permission 777 certainly doesn't mean that

anyone (even public users who access the website through the browsers)

may alter your file.

It does mean that anyone on the system may do it - and this is potentially a lot of third parties. Let's say you have one hacked Wordpress website, just one among the many others, which runs on apache or designated system user - this site may be used to iterate system in order to find any accessible (readable, writable, executable) file - and guess who is on board?

So, stick to general recommendation to provide only minimum rights to the part of your system (whatever it may be) needed to work. 777 permission is rarely used besides non-private non-secret /tmp type of files.

Miloš Đakonović
  • 722
0

Consider any service account taking action on your files on behalf of a user, per se, including any system() calls within these files. To exploit 777 permissions, it becomes only necessary to compromise one account on a system.

This fact alone opens the door to any other category of potential danger you can encounter in a system. Is the code vulnerable to a buffer overflow and arbitrary execution? Is the program vulnerable to SUID/GUID exploits allowing privilege escalation? (I'm thinking KDE eFax here)

Proper permissions in place mitigate as much of these kinds of risks as possible.

womble
  • 98,245
Jnach
  • 1