3

Can someone steal or change my PHP files if I have set them to chmod 777?

I have an EC-2 instance and even when I'm logged in as EC2-user I cant change my file if I have set them to chmod 755. I can only make changes to the file when I have set them to chmod 777.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
einstein
  • 13,389
  • 27
  • 80
  • 110
  • 1
    No one outside your server, no. Somewhat related: [In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?](http://stackoverflow.com/q/2338641) – Pekka Jun 02 '11 at 18:54
  • +1 for posting the link, most useful answer. – Halcyon Jun 02 '11 at 18:56

4 Answers4

4

Yes and no. Can anyone who is viewing the files over the net? No. However, anyone with the ability to log on to your machine could change the files (since they are world readable / writable.) In general, this isn't a good practice. I'd advise not permitting more than 775. If you are in a hosted environment, this shouldn't be a problem though.

JoshuaRogers
  • 405
  • 2
  • 5
3

Actually, everyone here is incorrect, 755 for a file is very wrong.

This means, read/write/execute by the owner. read/execute by the group and everyone else.

Directories should be 755 as the execute bit on a directory means that the user can list its contents, as you obviously cant execute a directory.

Execute does not make sense for webhosting scripts as the execute bit is only interpreted by the shell, not php.

In short, directories should be at the most, 755, (rwx,rx,rx), files should be 644 (rw,r,r).

Your files can be stolen in a shared hosting environment very easily if they have global read access to your files.

There are three ways the webhost can be configured with PHP

  1. As an apache module (all scripts run as the same user regardless)
  2. As a CGI binary in a jail/chroot (may run as the same user, but the files are jailed from the rest of the filesystem, so others cant access them, and you cant access theirs)
  3. Using SuExec or suPHP (php is run as the owner of the website)

If your host is running as a module (1), then your files must be 664 and directories 755, and are readable by everyone on the server.

If your host is running in a jail/chroot (2), then your files probably have to be 664 and directories 755, but they are protected.

If your host is using suExec or suPHP then your php files should be 640 and directories 750, otherwise others can access your scripts. You may even be able to restrict it further to 600, and 700, but apache still needs to read the plain files (not scripts), so you need to take this one step further and make sure the files are owned by you, but in the group the web-server is running as.

Geoffrey
  • 10,843
  • 3
  • 33
  • 46
1

They can modify / steal your files if they have access to your server and have a working username / password. chmod 777 lets anyone read and write to your files (as well as execute them).

So, for example, if you're hosting your website on a shared server, other websites running on that server would be able to access your files and modify them, even though they run in a different user context.

Steve Mayne
  • 22,285
  • 4
  • 49
  • 49
0

Steal yep
If your not use .htacces yeah :)
Why you use chmod 777 ?

UPDATE
anyone can download file no ?
wget http://xxx.xxx/update.php~ works

red eyes dev
  • 398
  • 3
  • 11
  • Downloading a PHP file doesn't mean downloading the *source* file, which I assume is what the OP is worried about. – Pekka Jun 02 '11 at 19:00
  • 1
    That only works if the file with the extension .php~ exists on the server, which can occur when an editor such as nano leaves behind a temp file from not being properly shut down (eg, lost connection). – Geoffrey Jun 03 '11 at 09:00
  • You can do something similar if the sysadmin uses Subversion to push code changes, as it leaves behind .svn directories all over the place that contain copies of each file with a ".svn-base" extension, so you can usually view those as plain-text in your browser. –  Jun 03 '11 at 11:49