In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?
Inspired by the discussion in this question, a maybe stupid question.
We have all been taught that leaving directories or files on Linux-based web hosting with the permission level of 777 is a bad thing, and to set always as little permissions as necessary.
I am now curious as to where exactly lies the danger of exploitation, specifically in a PHP / Apache context.
After all, a PHP script file can be executed from the outside (i.e. through a call to the web server, and subsequently to the interpreter) no matter whether it is marked as "executable", can't it? And the same applies to files called through the command-line php interpreter, right?
So where exactly is the vulnerability with 777? Is it the fact that other users on the same machine can access files that are made world writable?
Answer
Here's one scenario:
- You have an unprotected directory that users can upload to.
- They upload two files: a shell script, and a php file that has a
system()call in it to the shell script. - they access the php script they just uploaded by visiting the url in their browser, causing the shell script to execute.
If this directory is 777, that means that anybody (including the user apache, which is what php script will execute as) can execute it! If the execute bit is not set on that directory and presumably the files inside the directory, then step 3 above would do nothing.
edit from the comments: it's not the PHP file's permissions that matter, it's the system() call inside the PHP file that will be executed as a linux system call by the linux user apache (or whatever you have apache set to run as), and that is PRECISELY where the execution bit matters.