Lumpy Burgertushie wrote: ↑
Wed Dec 28, 2016 5:03 pm
I haven't seen any host that doesn't allow 777. If they do then they really are a bit paranoid.
I have never heard of a case where having a directory chmod 777 was ever hacked because of it.
anyway, phpbb has always worked this way and continues to work just fine this way. you are the first person I have seen mention having an issue with the chmod 777 settings.
the reality is that it is more likely that your board will not work properly if the cache folder in particular, is not set to 777
bottom line is, whatever works for you is the way you have to do it.
Robert, and anyone else not knowing what 777 is.
777 permissions means that the file (on unix/linux even a directory is considered a file) has public read/write/execute permissions. What public means in this case ? the whole machine -- your file is public to all users to do whatever they wish. This means that any other user on the same machine has read/write/execute access to your file/dir -- to read it, to modify it, to delete it, or execute it. Usually, if not always, every website is a user (not you). This means that on that same machine if one has a website, this person can go on and delete a file that has 777 permissions from a different user. Even worse, it can modify it with malicious code. So if a website is hacked and has a virus, the virus will most possibly automatically try to hack other websites on the same machine to expand by finding directories or files with 777 permissions. There are ways to restrict this and one is open_basedir, another one is jailkit.
In any case, once you know the basics, you never set 777 on a file unless you are on a development machine at a very restricted environment such as your own local network.
I would like to suggest people without basic understanding of security to do something else than giving advices to the public like Robert did.
Setting directories to 755 and files to 644 gives you as the owner of them the read/write/execute access you need. If your web application cannot work otherwise, then you either do something very wrong, or the application itself, or the server has issues. If an application requires 777 permissions stay away from it. If a server requires 777 permissions while there are other users on it and you need the basic security, you know what to do ? yes you do already. Now once phpBB 3.2.0 does chmod some directories to 777 upon update or even initial install, I consider it a vulnerable version and I would not advice anyone to update before the developers fix this. I would also advice this forum administrator to chmod those directories to 755 unless they own the whole machine this forum is hosted at and they are sure no other user will be able to access your files.
And Robert, no, phpBB does not require 777 permissions in order to work. It is an application that works from the same directory it is installed at, meaning it can fully work from the same user that owns those files on the file system. Your ideology there which says "whatever works for you is the way you have to do it" is something you can keep for yourself. And there is absolutely no reality even in a multiverse that a cache directory requires it's owner to chmod it with 777 permissions and expose it to everyone. If you really believe that what you say is right, go on and chmod your /config.php with 666 permissions, you do not even need to go up to 777 to expose your phpbb database user/password to all the users on the machine and be hacked yesterday.