DonQuichote -
Joined: 24 Dec 2006 Posts: 68 Location: The Netherlands
|
Posted: Sat Nov 01, 2008 9:39 pm Post subject: Why? |
|
|
I can hardly imagine that you would want that on a serious webserver. Let me explain:
Each 7 is for a permission category, in the order Owner, Group, Other. 777 means that you want to give them all permission "7". A 7 is a bit flag value:
Read=4, Write=2, Execute=1. Add any of those you want and you get the permission. So 7 means all of them. One extra note: if you want to enter a directory, you need execute rights on it.
On any Unix-style server, the web server runs as a certain user (I called my user "abyssd", because it is the "abyss daemon"). You also log in as yourself when you put your files on the server. Both you and the web server user have groups they belong to. By default, every user belongs to a group with the same name.
So if you want to be able to read the files, write new files (by uploading for instance), and enter directories, you should give yourself (or an uploader's group) full rights (7). A webserver usually needs only read rights on its files (2) and read+execute (3) on the directories. If the webserver needs to write things, the first thing to do is think. This is dangerous. Why does a webserver needs to write files? One of the valid reasons is a file upload through the website. Off course, any uploaded file should be thoroughly checked if it is harmless and should NEVER be granted execute rights. But even without execute rights, files are not harmless. An uploaded PHP file, for instance, will be executed like any other if it can be located from the browser.
That said, Giving lots of files full rights for everybody is plain dangerous. Don't. It is better do determine the rights they really need. Also, uploaded files are first uploaded to the temp directory and then moved to their final location. They web server user is the owner of these files and can set the necessary permissions. There are two tricks to make sure they are given the right group permissions:
first, do a
Code: | chmod g+s your_upload_directory |
(where you will have to substitute the real path to the upload directory). This will make sure all files and subdirectories get the same group.
The second trick is to set the umask right. You can do that in PHP. The umask works the same as the rights, but is built up of all rights you want to DENY. So a umask of 777 leaves no rights at all, and a umask of 027 denies execute for groups and leaves no right for others.
If the files are not yours, you will have to become root to change their permissions. If you do not know how to do that, ask your system administrator for help (he will probably rant the above story at you). |
|