Pete Posted July 25, 2014 Posted July 25, 2014 10.Set 777 permissions on important content. 777? Not the best idea: http://www.maketecheasier.com/file-permissions-what-does-chmod-777-means/ But it all depends on what you mean by "content" as well. 1
adrian Posted July 25, 2014 Posted July 25, 2014 IMHO making things like .htaccess writable for Apache is not such a good idea, but perhaps that's just me being paranoid. Not paranoid at all. This is paranoid - I have actually gone as far as renaming my .htaccess file to something else so if some script did manage to get access to the server, it would be trying to edit a file that doesn't exist BTW - Not suggesting people need to do this - it is a bit of a pain to maintain. I started doing it a long time ago after a server got hacked and I went a little overboard 2
pwired Posted July 25, 2014 Author Posted July 25, 2014 about point 10 in my list, post what would be better than 777 and I upgrade my list. I have actually gone as far as renaming my .htaccess file to something else so if some script did manage to get access to the server, it would be trying to edit a file that doesn't exist Very good, I like it. There is also that you can move important files and directories one level above your site root on the server so the bad guys will have a much harder time to access it. Edited and added this to the list in point 14. 2
teppo Posted July 25, 2014 Posted July 25, 2014 There is also that you can move important files and directories one level above your site root on the server so the bad guys will have a much harder time to access it. Edited and added this to the list in point 14. This is one thing that Zend Framework nailed perfectly; in typical setup your entire application lives one level beyond what's directly accessible from the web. I liked it, and it's also something that the security chapter of Programming PHP and the OWASP PHP Security Cheat Sheet suggest. 2
Pete Posted July 26, 2014 Posted July 26, 2014 CHMOD 777 (on shared hosting at least) could be very bad pwired. If the server is configured badly, like a lot of cheap ones out there probably are, 777 gives everyone on the server the ability to affect your files. There are plenty of posts about this on the internet if you do a quick search - here's one: http://stackoverflow.com/questions/11271596/how-will-a-server-become-vulnerable-with-chmod-777 If you're not on shared hosting then you're safer, but 777 is about the most open permission you can apply to a file or folder. You would need to read up on CHMOD really (I think I need to as well as it's been a while) as what permission you can realistically tighten it up to depends on how PHP is installed (mod_php etc) and I honestly don't know enough about the subject. Your recommendation of 777 just rang alarm bells with me because that's basically "anyone can read, write or execute this file" whereas something like 755 means "owner" can read, write and execute, but "group" and "others" (others being everyone else I believe) can only read and execute the file. Other folks here might be able to tell us if it's even an issue nowadays, but I just remember a lot of scripts a few years back that told you to set certain permissions on certain folders. 2
pwired Posted July 27, 2014 Author Posted July 27, 2014 Thanks Pete for posting back on this. I removed 777 and re-edited point 10 in the list. 1
blad Posted August 25, 2014 Posted August 25, 2014 Regarding to the above, a curious fact is that you can update most wordpress sites without admin privileges. example: http://demo.opensourcecms.com/wordpress/wp-admin/upgrade.php 1
Recommended Posts