MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Is chmod 755 and 644 useless?
Full Version: Is chmod 755 and 644 useless?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

sysrq

2010-11-23, 11:36 AM
Hello,

I have a hosting plan from 1and1 with PHP and MySQL. I run different subsystems in different subfolders, which I can access with my FTP account:
  • /public_html/forum/ hosts a MyBB forum
  • /publiv_html/wiki/ hosts a Mediawiki wiki

A common recommendation is that chmod for every file in /public_html/forum/ should be to 644 and that every folder in /public_html/forum/ should be set to 755. For example here MyBB security recommendations.

But in my opinion there is no difference between 644 and 666, or between 755 and 777.

If I understand correctly, then every HTTP request is handled by a PHP process (or PHP instance). And this process is executed by a specific user account, which has specific rights on the server. Let's call this user account phpuser. And this user is also the owner of every file and folder in /public_html/forum/. So in the 755 case, effectively the right 7 (=read,write,execute) is set, and in the 644 case, effectively the right 6 (=read,write) is set. So effectively 55 and 44 have absolutely no effect.

The PHP process, which runs as phpuser, has no knowledge about the user management of MyBB. It can't distinguish if a user posting a new thread is an administrator or a normal user. It is always phpuser how acceses the filesystem. There is not other user in the same group like phpuser, or some lese user which is not in the same group of phpuser.

So in my opinion it makes no difference if the files and folders in /public_html/forum/ are set to 644 and 755 respectively. In my opinion 666 and 777, or even 777 and 777, makes no difference according to security.

Or did I miss an important thing here?

My problem is also related to another *very* important question, which I sure will also ask in a different thread: when I give an user administrative rights in the MyBB forum, is this user then able to escape from the /public_html/forum/ subfolder and can access files in /public_html/wiki/ or other files? If so, then this would be a major security problem. Because each, the Mediawiki wiki and the MyBB forum, are executed with the same user account phpuser.

I am very affraid to give users administrative rights and don't know what I should do. I don't want to get hacked by an administrator of the forum.

Matt

2010-11-23, 01:37 PM
Of course there's a difference between 644/666 and 755/777, one has more permissions than the other Undecided 666 and 777 are not inherently insecure, they're insecure if someone manages to get access to your file system as then they'd be able to write to that file/folder. I'm really not sure what you're trying to say here.

sysrq

2010-11-23, 02:12 PM
(2010-11-23, 01:37 PM)MattRogowski Wrote: [ -> ]they're insecure if someone manages to get access to your file system as then they'd be able to write to that file/folder. I'm really not sure what you're trying to say here.

And in my opinion this is something which can never happen in a normal hosting plan with PHP.

The only way users can access files on the file system is when they make a HTTP-request. And in an PHP environment every HTTP-request is handled by a PHP process, which has always the same rights, because every process is bound to a system user. Let's call this system user phpuser.

So in normal conditions only phpuser has access to the files on the file system. There are no other system users in the same group, or other system users which are not part the group like phpuser.

This is the reason why I reckon that there is no difference between 644 and 666, because in this special context where only phpuser has access to the files, only the first digit on chmod is relevant.

So the general security adivse to set files to 644 and folders to 755 is in most cases completely useless. 666 oder 777 has no drawbacks in this context, which is true in more then 99% of the cases, because nearly everybody which runs a MyBB forum has a standard hosting plan with PHP and MySQL.

- G33K -

2010-11-24, 11:00 PM
Consider this

2 users, lets call them user A and user B are running sites and have access to the same server thats hosting your files. You are user A and you don't want user B to have access to your files.

If you chmod all files/folders to 666/777, this means that everyone has read/write access to your files, including user B who you do not want to have access.
You might want 666/777 access if phpuser is not the owner of the files and they need to write to them. Some hosts overcome this by using suexec which executes scripts as the user so you don't need to 666/777

Which is why you chmod 644/755 so that user B can not access your files.

Now this is theoretic worst-case scenario since hosts lock users in their home dirs so that they can not access other's dirs but you don't want to take the chance that if someone can access your files to be able to change them.

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Is chmod 755 and 644 useless?