2010-10-17, 01:45 AM
Just recently installed myBB, and like what I see so far. I'm in the process of writing a sci-fi novel and intend to use the forum to interact with any fans crazy enough to buy.
However, there's the incessant insistence on permissions being 777. This is inherently insecure. World, the rightmost digit, should never have "7" permission.
Assuming the administrator has shell access, the more secure option is to first chown the target directory to the same group as the web server user. That is, if the web server user is "apache" and belongs to the group "apache" or (in Ubuntu) "www-data"; then "chown :apache directory" or "chown :www-data directory". Then, set the permissions of that directory to 775. (Likewise for files that need web server write access, with perms at 664".
Why? In a Unix system, the server daemon is usually a non-interactive user; so if somebody compromised that user nothing could be done because that user has no interactive shell. Chowning to the web service's group allows the web service to interact with that directory as you are seeking with 777; so changes can be made. But, restricting the world permission gives any unauthorized user only read and list authority (5). You could get away with 770 if you're really paranoid.
However, there's the incessant insistence on permissions being 777. This is inherently insecure. World, the rightmost digit, should never have "7" permission.
Assuming the administrator has shell access, the more secure option is to first chown the target directory to the same group as the web server user. That is, if the web server user is "apache" and belongs to the group "apache" or (in Ubuntu) "www-data"; then "chown :apache directory" or "chown :www-data directory". Then, set the permissions of that directory to 775. (Likewise for files that need web server write access, with perms at 664".
Why? In a Unix system, the server daemon is usually a non-interactive user; so if somebody compromised that user nothing could be done because that user has no interactive shell. Chowning to the web service's group allows the web service to interact with that directory as you are seeking with 777; so changes can be made. But, restricting the world permission gives any unauthorized user only read and list authority (5). You could get away with 770 if you're really paranoid.