Is chmod 757 safe?

2019-04-29 07:00发布

问题:

As i am on a shared host , i want to add a image hosting script and it seems that with 755 it doesnt allow me to upload images, so i changed the folder to 757 , is it safe to chmod to 757?

回答1:

In a word, no. In two words, "hell. no!"

Let's interpret 757: that would be

  • owner: read write execute
  • groups that have permissions on the file: read - execute
  • the rest of the freaking world: read write execute

now, consider someone malicious uploading a short shell script:

 #!/bin/sh --
 rm -rf /

Update

Aha, the "folder". Okay, here's the deal: if you don't have the execute bit set on a directory, that blocks searching the directory. The reason the host is asking you to do the world=RWX is that they aren't running the web server as you, so they're taking the simple and dumb route to fix it.

There are two possibilities here:

  • they have some scheme in place to make sure that the permission of uploaded files in that directory can't have the execute bit set

  • they don't and haven't gotten burned yet

Here's an article on what better methods are.

On the assumption that your hosts aren't fools, see what happens with 775.