Re: Security risks in setting public_html to 777?

From: Steve Wolfe (
Date: 04/01/04

  • Next message: Jem Berkes: "Re: Block access that is too fast with iptables"
    Date: Thu, 1 Apr 2004 11:53:22 -0700

    > I'm running a web server, and I want some CGI scripts to be able to
    > create files and directories in public_html. To do this, I need to set
    > permissions for public_html to 777. Are there any security risks in
    > doing this?

      Yes, there certainly are. However, chances are that you don't really
    need them set to 777.

      The first 7 is fine. And the second 7 is *probably* fine. But the
    third 7? You'll only need that if the web server is running as a user
    *other* than the owner of the directories. There are usually ways to fix
    that - as an example, with Apache, suexec can be used to let the cgi apps
    run as an appropriate user, not as "apache", "nobody", or whatever your
    apache runs as.


  • Next message: Jem Berkes: "Re: Block access that is too fast with iptables"

    Relevant Pages

    • RE: CGI security on a shared web server
      ... to run in a mass hosting environment under apache without the use of suexec. ... Running end users' CGIs as the same user as the web server is asking for ... it mitigates a variety of issues posed by running CGIs as the ...
    • suexec and Apache 2.0.52 ?
      ... I am using Apache 2 with suexec enabled at my web server. ... but I hope Fedora people also knows the solution. ...
    • Re: Another flaw in Apache?
      ... > user already has permission to run cgi scripts without suexec, SSI, etc). ... commands as the web server uid despite the use of suexec is not serious. ...
    • Re: perldoc perlsec question
      ... 711 would be for my cgi scripts. ... Maybe, if that works for you, do you possibly have e.g. suEXEC or ... Provided that the web server has been sensibly configured, ... a shared environment. ...
    • RE: New Web Server
      ... Subject: New Web Server ... I have read all of your responses up to this point, ... Then pick the apache module... ... loaded from the ports. ...