Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?

Inspired by the discussion in this question, a maybe stupid question.

We have all been taught that leaving directories or files on Linux-based web hosting with the permission level of 777 is a bad thing, and to set always as little permissions as necessary.

I am now curious as to where exactly lies the danger of exploitation, specifically in a PHP / Apache context.

After all, a PHP script file can be executed from the outside (i.e. through a call to the web server, and subsequently to the interpreter) no matter whether it is marked as "executable", can't it? And the same applies to files called through the command-line php interpreter, right?

So where exactly is the vulnerability with 777? Is it the fact that other users on the same machine can access files that are made world writable?

like image 214
Pekka Avatar asked Feb 26 '10 00:02

Pekka


People also ask

Why is chmod 777 dangerous?

The permission 777 means that any user on your operating system can modify, execute, and write to the files posing a significant security risk to your system. An unauthorized user could use this to modify files to compromise your system.

What does chmod 777 mean in Linux?

Setting 777 permissions to a file or directory means that it will be readable, writable and executable by all users and may pose a huge security risk.

How does chmod 777 work?

777 - all can read/write/execute (full access). 755 - owner can read/write/execute, group/others can read/execute. 644 - owner can read/write, group/others can read only.

Why is chmod 777?

Changing File Permissions Using chmod 777 It means to make the file readable, writable and executable by everyone with access. As such, it's a powerful and a potential system-breaker – so extra care should be taken with it.


1 Answers

Here's one scenario:

  1. You have an unprotected directory that users can upload to.
  2. They upload two files: a shell script, and a php file that has a system() call in it to the shell script.
  3. they access the php script they just uploaded by visiting the url in their browser, causing the shell script to execute.

If this directory is 777, that means that anybody (including the user apache, which is what php script will execute as) can execute it! If the execute bit is not set on that directory and presumably the files inside the directory, then step 3 above would do nothing.

edit from the comments: it's not the PHP file's permissions that matter, it's the system() call inside the PHP file that will be executed as a linux system call by the linux user apache (or whatever you have apache set to run as), and that is PRECISELY where the execution bit matters.

like image 133
Mike Sherov Avatar answered Sep 19 '22 14:09

Mike Sherov