Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Evils of 777

Joel Clermont
August 01, 2011
Technology
1
69

The Evils of 777

You've probably seen instructions in some web application to set folder permissions to 777. I make the case why this is a very bad idea and unnecessary.

Joel Clermont

August 01, 2011
Tweet

More Decks by Joel Clermont

See All by Joel Clermont
How to get unstuck
jclermont
0
92
Level Up Your Code Quality
jclermont
0
300
How to Save Time
jclermont
0
32
F# Type Providers
jclermont
0
75
Give Elm a Chance! (that conference)
jclermont
0
260
Give Elm a Chance (newCodeCamp)
jclermont
0
240
Give Elm a Chance!
jclermont
0
260
Property-based testing: work harder, not smarter
jclermont
0
400
Elm - A new approach to building the front end
jclermont
0
390

Other Decks in Technology

See All in Technology
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
Lexical Analysis
shigashiyama
1
150
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
580
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
740
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Designing for Performance
lara
604
68k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Typedesign – Prime Four
hannesfritz
40
2.4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Why Our Code Smells
bkeepers
PRO
334
57k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
It's Worth the Effort
3n
183
27k

Transcript

  1. The Evils of 777 Joel Clermont @jclermont

  2. Refresher on permissions Octal notation Files versus directories Purposely ignoring

    Windows on this issue Credit: http://codex.wordpress.org/Changing_File_Permissions#The_dangers_of_777

  3. Bad advice abounds Source: http://www.concrete5.org/documentation/installation/file-directory-permissions

  4. Bad advice abounds Source: http://www.phpbb.com/kb/article/phpbb3-chmod-permissions/

  5. It is getting better though The "big 3" CMSes no

    longer encourage 777 - see link on first slide from WordPress - Joomla and Drupal also give big scary warnings

  6. Why do some programs want 777? It all depends on

    who the user is at the moment . . . - FTP user? - apache user? . . . and how Apache is configured to run PHP scripts - mod_php? - CGI/FastCGI/FPM? User uploads / automated installs or updates / caches

  7. What is the danger of 777? Think about what "world"

    writeable means . . it's bad - multi-tenant shared server is really bad - dedicated server is less bad A user of site 1 writes a malicious file to site 2 A user of site 1 reads a config file from site 2 - API keys, database credentials Others? Anyone not convinced yet?

  8. Solution Get PHP code to execute as your FTP user

    FPM (FastCGI Process Manager) http://php-fpm.org/ - bundled with PHP as of 5.3.3 (July 2010) - even nicer than running FastCGI alone

  9. Another option suPHP is a different approach to the same

    problem - http://www.suphp.org Less of a good idea, especially with FPM baked into PHP

  10. Not necessarily an easy change Requires server support - can

    be tricky to get this if not natively offered Zend Server woes - no FastCGI support on Linux Interesting reading on the topic: http://weierophinney.net/matthew/archives/243-Running-mod_php-and-FastCGI-side-by-side.html

  11. Temporary measures Only use 777 outside of your public web

    root Disable PHP in 777 folders - or whitelist approved extensions This should only hold you over until you get a real fix

  12. Questions, comments or war stories?