Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Evils of 777

Joel Clermont
August 01, 2011
Technology
1
67

The Evils of 777

You've probably seen instructions in some web application to set folder permissions to 777. I make the case why this is a very bad idea and unnecessary.

Joel Clermont

August 01, 2011
Tweet

More Decks by Joel Clermont

See All by Joel Clermont
How to get unstuck
jclermont
0
84
Level Up Your Code Quality
jclermont
0
280
How to Save Time
jclermont
0
30
F# Type Providers
jclermont
0
59
Give Elm a Chance! (that conference)
jclermont
0
230
Give Elm a Chance (newCodeCamp)
jclermont
0
210
Give Elm a Chance!
jclermont
0
230
Property-based testing: work harder, not smarter
jclermont
0
380
Elm - A new approach to building the front end
jclermont
0
360

Other Decks in Technology

See All in Technology
楽しくGoを学び合う、LayerXの勉強会文化 / LayerX's study culture of having fun and learning Go together
ar_tama
2
350
たくさん本を読んだけど 1年後には綺麗サッパリ!を乗り越えて 学習の鬼になるぞ👹
yum3
0
160
ペパボのオブザーバビリティ研修2024 説明資料
kesompochy
0
1.1k
セキュリティ研修 Day1【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
160
【基調講演】変える、今ここから ― IoTとAIで紡ぐ未来
soracom
PRO
0
320
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
190
Azure AI ことはじめ
tsubakimoto_s
0
130
コンテナ・K8s研修 - 後半 Kubernetes 基礎&ハンズオン【MIXI 24新卒技術研修】
mixi_engineers
PRO
1
120
Azure Pipelinesを使用したCICDベースラインアーキテクチャ実践
yuriemori
0
190
フルリモートワークはエンジニアの夢を叶えたか? #cm_odyssey
mamohacy
2
600
成長期に歩みを止めないための創業期の開発文化形成
mayah
6
420
[2024最新版]AWS Control Towerを使ったセキュアなマルチアカウント環境の作り方
hiashisan
0
270

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
239
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
652
58k
Building Flexible Design Systems
yeseniaperezcruz
323
37k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
224
21k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
13
430
Speed Design
sergeychernyshev
9
270
Designing for humans not robots
tammielis
247
25k
Writing Fast Ruby
sferik
623
60k
Git: the NoSQL Database
bkeepers
PRO
423
64k
Happy Clients
brianwarren
94
6.6k
[RailsConf 2023] Rails as a piece of cake
palkan
35
4.4k

Transcript

  1. The Evils of 777 Joel Clermont @jclermont

  2. Refresher on permissions Octal notation Files versus directories Purposely ignoring

    Windows on this issue Credit: http://codex.wordpress.org/Changing_File_Permissions#The_dangers_of_777

  3. Bad advice abounds Source: http://www.concrete5.org/documentation/installation/file-directory-permissions

  4. Bad advice abounds Source: http://www.phpbb.com/kb/article/phpbb3-chmod-permissions/

  5. It is getting better though The "big 3" CMSes no

    longer encourage 777 - see link on first slide from WordPress - Joomla and Drupal also give big scary warnings

  6. Why do some programs want 777? It all depends on

    who the user is at the moment . . . - FTP user? - apache user? . . . and how Apache is configured to run PHP scripts - mod_php? - CGI/FastCGI/FPM? User uploads / automated installs or updates / caches

  7. What is the danger of 777? Think about what "world"

    writeable means . . it's bad - multi-tenant shared server is really bad - dedicated server is less bad A user of site 1 writes a malicious file to site 2 A user of site 1 reads a config file from site 2 - API keys, database credentials Others? Anyone not convinced yet?

  8. Solution Get PHP code to execute as your FTP user

    FPM (FastCGI Process Manager) http://php-fpm.org/ - bundled with PHP as of 5.3.3 (July 2010) - even nicer than running FastCGI alone

  9. Another option suPHP is a different approach to the same

    problem - http://www.suphp.org Less of a good idea, especially with FPM baked into PHP

  10. Not necessarily an easy change Requires server support - can

    be tricky to get this if not natively offered Zend Server woes - no FastCGI support on Linux Interesting reading on the topic: http://weierophinney.net/matthew/archives/243-Running-mod_php-and-FastCGI-side-by-side.html

  11. Temporary measures Only use 777 outside of your public web

    root Disable PHP in 777 folders - or whitelist approved extensions This should only hold you over until you get a real fix

  12. Questions, comments or war stories?