We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Folder permissions - chmod 777

February 06, 2012 5:19pm

Subscribe [3]

  • #1 / Feb 06, 2012 5:19pm

    Pagemakers

    11 posts

    Hi,

    Can somebody tell me how we go about changing an ExpressionEngine 2 install so that none of the web accessible folders are chmod 777? We want the template still to be stored externally and the client to be able to upload files etc.

    The website we are launching is a fairly large scale site where security is extremely important and none of the client has requested that none of the directories that are web facing should be chmod’d to 777.

    Many thanks,

    Ben

  • #2 / Feb 06, 2012 5:45pm

    Studio Meta

    105 posts

    You should take a look at .htaccess deny directory listing.

  • #3 / Feb 06, 2012 5:50pm

    Pagemakers

    11 posts

    Are you referring to somthing like:

    IndexIgnore *

    I am not sure if that’s the best way to prevent chmod 777 exploitation.

    Perhaps the EE team can provide some advice on the issue as I am sure I am not the first person to ask this.

  • #4 / Feb 06, 2012 5:51pm

    Studio Meta

    105 posts

    By the way, chmoding a folder to 777 isn’t a security issue.

  • #5 / Feb 06, 2012 6:01pm

    Pagemakers

    11 posts

    Thanks for the swift replies. Can you explain in a bit more detail please?

    My clients concern is that having a directory that is set to 777 permissions can lead to exploitation of a system via backdoors that allow for malicious scripts to be executed.

  • #6 / Feb 06, 2012 6:03pm

    Studio Meta

    105 posts

    Please take a look at http://www.library.yale.edu/wsg/docs/permissions/

  • #7 / Feb 06, 2012 6:10pm

    Pagemakers

    11 posts

    I am aware of the permission settings within unix and that certain users have the ability to perform certain actions. This is clear.

    What is not clear and what I am interested in finding out (perhaps you could explain in a bit more depth) is why this is not a problem with an Expression Engine install.

    See here for some reasons why it’s a bad idea: http://stackoverflow.com/questions/2338641/in-a-php-apache-linux-context-why-exactly-is-chmod-777-dangerous

  • #8 / Feb 07, 2012 6:47pm

    Shane Eckert

    7174 posts

    Hello Pagemakers,

    Thank you for using the ExpressionEngine forums!

    The answer is pretty simple. chmod 777 on those key directories allows for the most flexibility across all types of hosting solutions. A better way to say this is: Set your folder X to 777 (or equivalent write permissions for your server).

    The best practice is to work with your hosting service or IT department and get the security to where you are as secure as can be, while allowing the site to do what you need the site to do.

    I hope this helps.

    Cheers,

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register