Often when setting up PHP scripts on web hosting accounts you will see the requirement to set some files and directories to Chmod 777. This means everyone can read, write and execute this items. On the surface this looks like a security risk but with a properly configured server this is security risk is eliminated.
Q. Should EVERYTHING be chmod 777 then when installing PHP scripts?
A. Not really. Just the required directories, and all the files and directories inside them. Again it won't effect security if you do, so long as the server configuration has a normal security configuration.
Q. Access by "Owner," "Group," and "Everyone." are what the numbers mean, so can anyone change files set to 777 because they are writable to everyone?
A. Um, on the surface, yes. But, looking deeper the person must first get access to your server and be able to view the file to do that. They additionally need access to the files directory, and the directories directory that file located all the way up the point they try to access your files. Reasonably you will have a directory (like your user name) which is not chmod 777. This is normally set to chmod 111 by the host at account set up.
Q. Would it be safer not to use chmod 777? Could a hacker exploit it if they got in?
>A. When a hacker gets in and starts causing trouble not much will stop them. Even with the file permissions as strict as possible other opportunities would be exploited, like databases will be wide open. So, yeah... you can ensure some files that are not change or deleted, but not all.
Q. Is it likely a hacker would get into my server to access the mysql database?
A. Yes as likely just as much as getting in to edit files, by editing your files the hacker can change things like what is displayed on your web pages, buy normally stored in the mysql database are items like e-mail addresses and passwords that can be much more valuable in terms of cash. A database is chmod 777 at all times when you think about it.
Q. Can MySQL permissions be used to secure it form intrusion as well? if I make it so they users can not delete what will happen?
A. Most scripts will not work with limited settings like that. Scripts need to be able to delete content at times. If the script can delete, so can a hacker. So the key is keeping them out of the server before this point is the only real solution.
Q. Still my host does not want me setting things to chmod 777 because they say it is not safe?
A. Tell them to read these explanations. When they cannot prove anything here to be wrong then they should allow you the 777 files and directories. In case they still refuse to see logic then maybe you should find a new web host that is more knowledgeable.
Q. So with Chmod 777 not being a security problem, why should I use other chmod settings?
A. Because we all take a maximum security view point and keeping chmod settings lower than 777 will simply provide additional security for each individual file. This is part of a maximum security philosophy. |
