LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   security considerations with 777 on shared host? (https://www.linuxquestions.org/questions/linux-newbie-8/security-considerations-with-777-on-shared-host-352538/)

learnfast 08-12-2005 10:25 AM
security considerations with 777 on shared host?
 
I've asked two of my Linux providers about this and neither have responded yet, so let me ask this here:

I have a shared hosting Linux environment (e.g. your normal $4.95 a month Linux account)
and let's say I need to give one directory 777 rights (everybody read/write/execute)
in order to use an SQLite database there or create dynamic PDFs or PHP5 files or whatever.

So, what are the security issues with this exactly?

1. Can OTHER people who have accounts at that shared hosting provider who also have SSH access, can THEY go over into my directory and read/create and delete files? If no, how is this actually prevented (when I create users on local Linux systems, every user can READ basically everywhere, even in /etc for instance).

2. What are the issues from OUTSIDE actually, i.e. via HTTP. I just basically need to make sure that no input from forms is going straight into the database or straight into files that could be created, etc. right?

3. Are there any other issues of setting directories to 777 in shared hosting environments?

4. What if I want a really flexible environment where my PHP files create PHP files on the fly including directories, etc. and I set my WHOLE website to 777. Is there any EXTRA security issues with this over and above setting ONE directory to 777?

Thanks.

Matir 08-12-2005 12:00 PM
Any file with 777 permissions will be readable, writable, and executable by ANY user on the system.
Any directory with 777 permissions will be readable, writable (files may be renamed/created/deleted) and browsable by ANY user on the system.

Yes, if your directory is 777, someone can delete or edit your files. If one of your PHP scripts is insecure, or one of THEIR PHP scripts is insecure, it is possible that data may be editable or deletable from the internet.

Check out this article for more information: http://www.zzee.com/solutions/linux-permissions.shtml

sundialsvcs 08-13-2005 12:17 PM
But... it will be accessible to them only if they can get to it.

Most hosting-services are sensible enough to restrict all subscriber files to a single home-directory that is assigned uniquely to them. If your files are not accessible to others, the permissions that you assign to them are much less relevant.

Another factor is how other users would be able to reach them: can they get to a shell, or are they limited to http? If the latter, then what Apache will consent to do is a factor.

Nevertheless... you should assign them appropriately.

Matir 08-13-2005 01:59 PM
let's say I have SSH access on two accounts to a shared box: user1 and user2.

My html files are in /home/user1/public_html, owned by user user1, group users, permissions 755.

Why couldn't user2 just read the files? :)


All times are GMT -5. The time now is 11:21 PM.