MyBB Community Forums

Just recently installed myBB, and like what I see so far. I'm in the process of writing a sci-fi novel and intend to use the forum to interact with any fans crazy enough to buy.

However, there's the incessant insistence on permissions being 777. This is inherently insecure. World, the rightmost digit, should never have "7" permission.

Assuming the administrator has shell access, the more secure option is to first chown the target directory to the same group as the web server user. That is, if the web server user is "apache" and belongs to the group "apache" or (in Ubuntu) "www-data"; then "chown :apache directory" or "chown :www-data directory". Then, set the permissions of that directory to 775. (Likewise for files that need web server write access, with perms at 664".

Why? In a Unix system, the server daemon is usually a non-interactive user; so if somebody compromised that user nothing could be done because that user has no interactive shell. Chowning to the web service's group allows the web service to interact with that directory as you are seeking with 777; so changes can be made. But, restricting the world permission gives any unauthorized user only read and list authority (5). You could get away with 770 if you're really paranoid.

We understand totally that 777 is not 100% best security practice.

However, what you don't realize is that more then 60% of hosts don't give us any choice but to default to using 777 permissions. This is because many hosts setup PHP (apache deamon) under the user "nobody." The only want to get it to work 100% among all hosts is to have it at 777.

An alternative solution is to try each permission starting from 555 up until 777 or one works. This is something we're looking to implement into 2.0

To be useful, directory permissions need to either be at 7 (read, write, execute) or 5 (read, execute). You need the execute bit on to do directory listings, copy, move, delete, etc. So, 665 is not an option for directories. (For the audience, 4=read, 2=write 1=execute, add to get what you need, so 6 = 4+2 = read, write; 5 = 4+1 = read, execute.) I've accidentally chmoded /usr/bin, /sbin and /bin to 664 before; which creates a certain comedic consequence.

I did say "Assuming the administrator has shell access...." You are right, there are quite a few web host providers that limit one's ability to chmod/chown. That's why I didn't suggest using 2777 temporarily during the install, which can get around some other security issues. So, I clearly realize that, contrary to your observation. I've been working with web host providers for 13 years now and have dealt with most kinds (still looking at cloud providers).

However, you said "over 60% of hosts don't." Assuming that statistic is accurate, then that means that less than 40% of hosts do. Web hosting is a commodity item; there are so many that offer this service that you can chose to pick one that gives you the access you need to have a secure site. By commodity, I mean you should never have to pay more than USD 10 per month for web hosting that give shell access, and Cpanel, or some other web UI access. My experience is the portion that limits shell access is the minority; but shell access requires some learning curve. However, a site owner should seek the option that gives him a little more access for a little more security. That's my opinion.

Yes, I realize that myBB is targeting the entire audience, not just those who opt for the alleged 40% server availability. Again, the reason why I said "Assuming the administrator has shell access...."

My point is this: "myBB provides a quality tool, but needs to put a little more focus on security by suggesting a more-secure permission structure for files/directories; then relenting to the less secure 777 structure when circumstances allow."

At the very least, the documentation should have a section on security that provides more secure set ups. FWIW, the advice I offered is exactly what I did on my forum, with no (yet) ill effects.

---

Just to be clear, as I'm sure there may be a reader that doesn't get my issue. When "world" (that is anybody with server access) has read-write-execute on a directory, they can establish a file that can itself be executed. That's the start of many exploits. The issue is that world should not be allowed to write files on a web-accessible directory.

I know the myBB developers understand this, so I'm not trying to assert that they don't. They're working with the cards 100% of their customers are dealt, which is the likelihood of not having chown privileges. You don't get chown if you're FTP-only. And, I've been spoiled by having shell access since 2001.

Another option is to have the "vulnerable" directories outside the web accessible space; which presents its own issues. So, I'm not recommending that.

If the host is properly configured (with security in mind), it does not matter if you use 777 or 664 for files since there is no process that could abuse the world permissions. In a properly configured environment, there is only "writable", "not writable", and nothing else. Without knowledge of the host configuration, it's also not possible to tell which permission is the most restrictive one that works; you can determine that only through trial and error.

Giving as little permissions as possible is a good security principle, but in practice the average Joe won't understand Linux file ownership and permissions, look at how long and confusing your own post is when you tried to explain it just now.

So telling people to just chmod 777 (meaning: make writable) the files and folders that need to be, is an okay advice, if you know better no one is stopping you to use 400 for files that only need to be owner readable, 600 writable etc. or whatever is the most restrictive option in your setup.

My chmods are set to minimum too and so far I haven't seen anything in MyBB that would complain about it. The actual owner/mode is not checked anywhere, it just says writable or not writable...

If we give people a whole list of different CHMODs to try in order of most secure to less secure and get them to try each one until it works, they're just going to get majorly confused. We could put it in the documentation and the Wiki but most suers won't read either of these, and users who understand more about this would probably know that other settings may work anyway.

It also doesn't help when some hosts seem to apply a CHMOD of 777 to everything that gets uploaded. I've seen that a few times, everything is set to 777/666 and I know the forum owner hasn't done it.

FWIW, I found this thread because after researching phpBB and MyBB I decided that MyBB was probably the best match. I then began reading the installation instructions and was somewhat taken aback by the suggestion that all directories and files should have permissions set at 777.

We can debate whether or not it "really" makes a difference, but it raises red flags - especially for a Web application that is inherently accessible from the open Internet. Any vulnerability could allow someone to upload malicious code and execute on the server.

As merovech has correctly pointed out, chown-ing folders to the Web server's user and lowering permissions works just as well.

He also makes a suggestion that I read through the documentation expecting to see; an alternative permissions scheme for those that want a more secure installation. It doesn't seem like that would be too much extra effort, as no other piece of Wiki or Forum software that we have ever used (which admittedly does not come close to covering the entire universe of such software) has ever recommended setting permissions to 777 just to get it to work. No offense, but it just seems like the lazy way out to me.

My 2 cents.

How many hosts do you thing are gonna let you Chown files? How many shared hosts are gonna even respond to that ticket?

2.0 is the next major release, and as Ryan said, these should be addressed.

We don't use a host. Not everybody does.

---

Besides, all I'm saying is why not give two methods. It's only documentation. No need to get snippy.

(2010-12-29, 06:20 PM)rabinnh Wrote: [ -> ]We don't use a host. Not everybody does.

---

Besides, all I'm saying is why not give two methods. It's only documentation. No need to get snippy.

I'm not meaning too. But you have to plan for the majority of users. The majority of MyBB users at the moment are not advanced. Its a loss for more advanced users. But since the worlds largest hacking site runs MyBB, i'm pretty sure its safe to use.

Quote: I then began reading the installation instructions and was somewhat taken aback by the suggestion that all directories and files should have permissions set at 777.

Where does it say that? It's only a handful of files and directories.

/cache/ 777
/cache/themes/ 777
/uploads/ 777
/uploads/avatars/ 777
inc/config.php 666 (after install you can set this to 644
inc/settings.php 666

That's it. The language files are optional if you want to edit them from admincp. Otherwise leave them as 644.

Reality is that it's not a big deal. If you get a shell installed on your host they'll very likely be able to chmod and chown your files if they've gotten that far.