WordPress.org

Ready to get started?Download WordPress

Forums

bad information (2 posts)

  1. Exsys
    Member
    Posted 1 year ago #

    http://wordpress.org/support/topic/directory-and-file-permissions?replies=15

    I would like to point out that this post is giving bad information

    Some hosts will only allow you to upload images (using WP) if the images folder is 777. That leaves your site at a certain level of risk. Email them and check what the minimum permissions are. Despite what they first say, this is NOT a WP issue - it's a security issue.
    If your host insists that 777 is the only number, start looking for another host. 755 can be done by hosts (my directories are all 755) that take security seriously.

    This is poorly educating readers who dont know any better. Any host that does not require 777 permissions for php to be able to write to the directory, is because the php process is running as the user who owns the files. They do this through the use of technologies such as suphp and suexec.

    What this means is that any file or directory can be written to by the php process, which is why 755 directories work for him on those style hosts.

    Meaning it is a false sense of security and is actually worse than hosts that require 777. Why is it a false sense of security? Because the php process can write to any directory even ones with permissions such as 700. This means an attacker can upload files to any directory or even worse inject code into any wordpress file creating a nightmare for the unsuspecting. So such hosts of literally created 777 on all files and directories.

    So how is this more secure? It's not it is worse and gives guys like the writer of the article a false sense of security.

    At least with hosts that require 777 for writable folders you have control over which exact folders can be uploaded to and you can protect those folders with htaccess folders, preventing them from being exploited.

    .htaccess

    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
        Order allow,deny
        Deny from all
    </Files>

    The only reason hosting companies use technology such as suexec and suphp which dont require 777 for writable folders, is to pass the security buck onto the hosting customer. They no longer have to worry about hacker accessing your site through a security bug and then reading the configuration files and dumping the databases of other hosting customers on the same server. But by doing so they leave your site wide open to attack and making it easy for you to get hacked.

    This is because the php process is running as the owner of your files and no longer has permission to access files owned by other users.

    To me this is a lame bandaid which only makes the problem of shared hosting security worse.

    As outlined above it is much easier to lock down a site on a shared host that does not use suphp and as such you must set 777 on directories that need to be written to by php. Just use the provided .htaccess file above

    So to stop on the suphp and suexec is gospel people before you even post, "Well this doesnt protect your site if another site is compromised on the server"... correct but your site is not left wide open to be the one hacked in the first place.... AND

    guess what there are technologies now that allow a host to operate in 777 mode while not allowing one site to access another sites files... well it is a combination of technologies actually.

    First: Cloud linux -- running cagefs.... this isolates each user account so the other user cannot access the other users files even if you give out shell access

    Second: Litespeed web server... they have designed a new suexec daemon mode, which if it detects cagefs present will launch the php process inside cagefs so it cannot access other users files, but it will run the process as user nobody instead of the owner of the files, this way the process cannot write or modify files anywhere it wants to. It will only be able to write to 777 directories.

    you can even use the htaccess trick from above on these directories or litespeed has a built in feature which you can lock down which directory permissions are required for executing scripts. So essentially you can tell it not to execute scripts in 777 directories on a global basis.

    My intent is to point out that the article is giving bad advise and should be taken down or modified...not to spam so if anyone is interested in a list of hosting companies that have more secure setups than what this guys horrible advice, send me a message.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    It is not forum policy to edit or delete posts except in extreme circumstances. In my opinion this is not an extreme circumstance. Apart from the fact that hosts do vary, the poster gave his opinion and you have yours. It is not our place to act as judge and jury in these situations.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.