[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Re: email forwarding
- Subject: RE: [cobalt-users] Re: email forwarding
- From: "Chris Demain" <cdemain@xxxxxxxxxxx>
- Date: Fri Dec 14 10:22:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> This is a legitimate question for you Chris.
>
> Does it really matter about providing 777 permissions on files which are
> effectively outside of the public_html area, I always thought that it did
> not matter as it was not accessible, but if you know otherwise please tell
> all because I do need to know if this is the case......
>
> If I am wrong in thinking it doesnt matter about too much permissions
> outside of public_html area, sorry one and all for saying that should be
> safe and secure enough.....!!
>
> Ian
Ian,
It is a good practice to be secure-by-default and only give the smallest
amount of permissions which will work. It may not be a from-the-browser
security hole, but it could spell disaster if someone has telnet/ssh access.
The fact that it's world writable + world executible means I can echo
arbitrary code into the file, and then run the file!
$ echo "malicious code" > /path/to/777'd/file
$ sh /path/to/777'd/file
# Whee!
Of course, it's not this easy ... but it's certainly easier than if it
_doesn't_ have those permissions.
This is compounded in set-gid/uid situations.
While it may have been good enough for a fix to the problem, there's nothing
safe about 777 permissions, as a rule.
Sorry if it came accross as an accusation, I just wanted to give warning
about the dangers. If it doesn't need execution privs, don't give them,
unless all users must be able to write to it, don't give world write, etc.
</rant> ;)
-Chris