0

The .htaccess in our application has 777 permissions because a sister application needs to write to it. Could you confirm that htaccess with 777 permissions is bad for security and if so what a more secure alternative would be.

I was thinking if the sister application (located on the same server) changes the permissions before it edits it and then changes them back again?

Anders
  • 64,406
  • 24
  • 178
  • 215
xylar
  • 103
  • 1
  • 3
  • 1
    I can see no reasonable scenario in which a .htaccess file needs to be executable. – user Sep 30 '16 at 14:32

2 Answers2

6

Yes, XX7 is very bad for security, it gives read, write and execute access to all users and should be avoided unless absolutely necessary. A malicious user could use the .htaccess file to get a malicious or sensitive file to become visible to the web interface. Then, using the web inteface user (who may have elevated privileges) the malicious actor could perform actions under that context.

If you can get the sister application and the .htaccess file to have the same owner/runner then 700 should work, otherwise try to get them into the same group and have 770.

Obviously the more users with write access to a file the less secure it is.

If some level of access ( > 0) is required for .htaccess, consider:

  • 1 (execute)
  • 4 (read)
  • 5 (read and execute)
HashHazard
  • 5,105
  • 1
  • 17
  • 29
Topher Brink
  • 1,639
  • 11
  • 13
  • thank you Hollowproc, you have made what i had in my head actually appear, i was having difficulties putting my thoughts down. – Topher Brink Sep 30 '16 at 14:00
1

For htaccess file you need only read rights (400 if user is owner) for the user, owner of the process, which access this file (apache, http, etc). Anything more will open security hole, permitting write (not required even fof the user), addicting rewrite rules (or remove some) from user of this server

Romeo Ninov
  • 638
  • 5
  • 11