1

Sometimes I prefer working with text files instead of database as I can later manually edit the file content. Imagine I have created a text file blacklist and chmodded it to 777. Let's say it is accessible at http://example.com/settings/blacklist.csv. This effectively gives read/write/execute to the whole world, doesn't it? What can a normal user do with that file other than reading its content? Is this a security threat for my site and its content? Will any normal web viewer or someone else other than SSH user (or machine user) modify the file content?

Mehdi Haghgoo
  • 233
  • 1
  • 2
  • 6
  • 1
    If your intention is to give read access to everybody why do you give them write and execution permissions at all? – DarkMatter Nov 14 '18 at 14:47
  • I give it 777 this so my php scripts can easily modify it. Maybe I only need 766. Don’t I? – Mehdi Haghgoo Nov 14 '18 at 16:17
  • 1
    What is *"a normal user"* ? Someone visiting the website or some other local user on a server with shared hosting? – Steffen Ullrich Nov 14 '18 at 16:41
  • A normal user I mean someone visiting the website. Thanks for pointing this. The title was confusing. – Mehdi Haghgoo Nov 14 '18 at 19:20
  • 1
    "Sometimes I prefer working with text files instead of database as I can later manually edit the file content" - this is already setting of major alarm bells. Do you believe that everyone else has been getting it wrong for nearly 50 years? – symcbean Nov 14 '18 at 21:24
  • @codezombie Don't. Just... don't. – forest Nov 15 '18 at 01:46

2 Answers2

3

Servers are not written in a way to automatically modify a file just with a simple POST or PATCH method, a security feature, to be sure, so 777's biggest threat is that it does expose read-access to potentially sensitive data. Depending on the server configuration, a 777 file could also be executable, though most server configurations limit execution to "bin" directories as an additional safety feature (e.g. "cgi-bin"). Without ftp, ssh, telnet, etc access, the file is still effectively read-only.

That said, you shouldn't rely on this, and always make sure you chmod your files correctly to avoid any potential complications. The security implications are directly related to the values inside the file, of course. If it's just a list of blacklisted IP addresses, probably harmless, but if it has server configuration values, passwords, etc, that would be an obvious security concern.

In summary, 777 by itself is "mostly harmless," but it really depends on the purpose of the file as to the importance you should place on protecting the file.

phyrfox
  • 5,724
  • 20
  • 24
2

In a world where locks would be unbreakable, no one would have more than one on their house main door. Unfortunately...

IT world is not really different. Your OS and server software should not allow a client user to do more than is expected. But there can be security or implementation flaws causing unexpected behaviour...

That is the reason why good security practices recommend to set up more than one defense line, and to observe the least privilege rule: if a permission is not required for the system to work, it should be removed. That way, even if the protection offered by the server software is broken, the one offered by the file permissions still prevent an attacker to do (too) bad things.

There are indeed real use cases for 777 files, but using that when it is not required is bad because it unnecessarily lowers the global protection level of the system.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84