4

Is it safe to chmod a directory 777, or is it a security risk?

One of my scripts requires that in order to run in multi-user situations, and I'm wondering if it's okay.

configurator
  • 737
  • 4
    You should set it to group-writable, and world-read-only, and add users to the group as necessary. – nanofarad Sep 14 '12 at 22:56
  • See also: http://askubuntu.com/questions/20105/for-security-reasons-why-should-var-www-not-have-chmod-777 – Jorge Castro Sep 15 '12 at 03:35
  • @JorgeCastro: Thanks, although that thread doesn't explain anything I didn't know. Yes, 777 means anyone with access to the filesystem can create and execute a script. But is that exploitable to cause a security problem? Wouldn't someone with access to the filesystem be able to do that even without my 777 directory? – configurator Sep 15 '12 at 07:55
  • @configurator The main problem is that users can normally (without sticky bit) delete / edit each other's files. (and "users" include things like a web server application, which might do that in case of an exploit) (it also provides a place where an exploit can dump / run shellcode from, at least if not mounted noexec) – Gert van den Berg Feb 08 '24 at 11:49

1 Answers1

4

While it is generally considered to be a bad practice, because any user can remove or modify any other users data, it is not such a great risk in itself; or, better said, it all depends on the context. On a machine with a limited number of trusted users this is not really a problem, as long as the script is not world accessible (like a web cgi) or runs as root.

However, there are many ways such a need can be avoided, and if you post some details (why must the script use 777?), we can consider a better solution. One semi-solution is to set the +t bit; that way, any user can write in the directory, but only that user can then remove or modify the created files.

January
  • 35,952