2010-11-23, 11:36 AM
Hello,
I have a hosting plan from 1and1 with PHP and MySQL. I run different subsystems in different subfolders, which I can access with my FTP account:
A common recommendation is that chmod for every file in /public_html/forum/ should be to 644 and that every folder in /public_html/forum/ should be set to 755. For example here MyBB security recommendations.
But in my opinion there is no difference between 644 and 666, or between 755 and 777.
If I understand correctly, then every HTTP request is handled by a PHP process (or PHP instance). And this process is executed by a specific user account, which has specific rights on the server. Let's call this user account phpuser. And this user is also the owner of every file and folder in /public_html/forum/. So in the 755 case, effectively the right 7 (=read,write,execute) is set, and in the 644 case, effectively the right 6 (=read,write) is set. So effectively 55 and 44 have absolutely no effect.
The PHP process, which runs as phpuser, has no knowledge about the user management of MyBB. It can't distinguish if a user posting a new thread is an administrator or a normal user. It is always phpuser how acceses the filesystem. There is not other user in the same group like phpuser, or some lese user which is not in the same group of phpuser.
So in my opinion it makes no difference if the files and folders in /public_html/forum/ are set to 644 and 755 respectively. In my opinion 666 and 777, or even 777 and 777, makes no difference according to security.
Or did I miss an important thing here?
My problem is also related to another *very* important question, which I sure will also ask in a different thread: when I give an user administrative rights in the MyBB forum, is this user then able to escape from the /public_html/forum/ subfolder and can access files in /public_html/wiki/ or other files? If so, then this would be a major security problem. Because each, the Mediawiki wiki and the MyBB forum, are executed with the same user account phpuser.
I am very affraid to give users administrative rights and don't know what I should do. I don't want to get hacked by an administrator of the forum.
I have a hosting plan from 1and1 with PHP and MySQL. I run different subsystems in different subfolders, which I can access with my FTP account:
- /public_html/forum/ hosts a MyBB forum
- /publiv_html/wiki/ hosts a Mediawiki wiki
A common recommendation is that chmod for every file in /public_html/forum/ should be to 644 and that every folder in /public_html/forum/ should be set to 755. For example here MyBB security recommendations.
But in my opinion there is no difference between 644 and 666, or between 755 and 777.
If I understand correctly, then every HTTP request is handled by a PHP process (or PHP instance). And this process is executed by a specific user account, which has specific rights on the server. Let's call this user account phpuser. And this user is also the owner of every file and folder in /public_html/forum/. So in the 755 case, effectively the right 7 (=read,write,execute) is set, and in the 644 case, effectively the right 6 (=read,write) is set. So effectively 55 and 44 have absolutely no effect.
The PHP process, which runs as phpuser, has no knowledge about the user management of MyBB. It can't distinguish if a user posting a new thread is an administrator or a normal user. It is always phpuser how acceses the filesystem. There is not other user in the same group like phpuser, or some lese user which is not in the same group of phpuser.
So in my opinion it makes no difference if the files and folders in /public_html/forum/ are set to 644 and 755 respectively. In my opinion 666 and 777, or even 777 and 777, makes no difference according to security.
Or did I miss an important thing here?
My problem is also related to another *very* important question, which I sure will also ask in a different thread: when I give an user administrative rights in the MyBB forum, is this user then able to escape from the /public_html/forum/ subfolder and can access files in /public_html/wiki/ or other files? If so, then this would be a major security problem. Because each, the Mediawiki wiki and the MyBB forum, are executed with the same user account phpuser.
I am very affraid to give users administrative rights and don't know what I should do. I don't want to get hacked by an administrator of the forum.