Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Is it safe to chmod everything? Ask Question. Asked 5 years, 9 months ago. Active 10 months ago. Viewed 9k times. Improve this question. How do you plan to reverse the chmod ? This is non-trivial at best, and probably impossible at worst. Add a comment. Active Oldest Votes. Improve this answer. Bob is the sysadmin responsible for a JBoss server.
Bob's JBoss is running with the user jboss. Your application has a harmless script that copies files from a upload business folder to an apache context folder user apache optimized to serve static files; this script runs with the user jboss.
Sounds like something you see out there does not it? For example, for upload of avatars and the like. Let's say Bob, not wanting to struggle with access permissions between jboss and apache was there and executed chmod in the Apache context folder. With this the script in question, even running with the jboss user, you can write files to the apache folder without being bothered.
It seems harmless right? After Bob began to have problems handling these jboss user files inside a folder belonging to apache. Apache did not display images copied by script. Bob, in a hurry, went there and changed his script to run a chmod on all files being copied to the apache folder.
Bob saw no risk in doing so since the firm's application had a JavaScript function that validated the extension of files that were sent by users. The application only allowed files with image extensions to be sent to the server. Alice, the firm's developer, copied the JavaScript function from that SOen post and pasted it into the web application in question.
Mallory then checks that PHP is installed in Apache; running even in the folder of static images Again Bob did not see need to be messing with Apache configuration files since the folder in question would only have images. It doesn't require that I chmod the directory it self. I don't believe this, I have a very strong feeling that this is patently wrong but after Googling for the last 2 hours I have found answers that both support and discourage this practice so I thought I'd ask the experts.
Please explain how this works if it is in fact a safe practice Your help would be greatly appreciated. Best regards, Gary. Administrator Emeritus. Join Date: Mar In theory it's correct, in practice not really. To make a comparison, It's like leaving the keys in your car bacuse it is in a locked garage. Thanks - Can you tell me more? Thanks for the reply, can you elabaorate just a bit?
Are you saying that unless a person perhaps a hacker has access to my shell account or FTP access to my server then he really can't harm the existing. Ok, I just did an experiment, I chmod 'ed an html file and tried to edit and publish it with Composer, if I don't enter a user name and password for the FTP upload it will not let me write the file. It also says the directory is password protected which I expected. Is it possible for someone to hack this chmod'ed file?
I understand that it would not be wise to explain how in a public forum but I simply can't upload that application until I am certain my site will be safe. Also, is it possible for anyone not on my server to tell what the write permissions are set to? Thanks and regards, Gary. Join Date: Dec With that permission they might as well be sitting in your chair. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name.
Email Required, but never shown. The Overflow Blog. Does ES6 make JavaScript frameworks obsolete? Podcast Do polyglots have an edge when it comes to mastering programming Featured on Meta.
0コメント