Inspired by the discussion in this question, a maybe stupid question.
We have all been taught that leaving directories or files on Linux-based web hosting with the permission level of 777
is a bad thing, and to set always as little permissions as necessary.
I am now curious as to where exactly lies the danger of exploitation, specifically in a PHP / Apache context.
After all, a PHP script file can be executed from the outside (i.e. through a call to the web server, and subsequently to the interpreter) no matter whether it is marked as "executable", can't it? And the same applies to files called through the command-line php
interpreter, right?
So where exactly is the vulnerability with 777
? Is it the fact that other users on the same machine can access files that are made world writable?
Let's suppose you have a software package installed in your server and there is a zero day vulnerability into it, the attacker gains access to your Admin Control Panel with uploading files capabilities, if you set everything to 777 it would be trivial for him to upload a shell script anywhere he wants. However, if you set the permissions properly he can't do it since nobody/www-data/etc won't have write permissions.
There are many good general reasons to follow minimalism when it comes to permissions, but in the context of a LAMP webhost, the few that come readily to mind are
rm -rf /
. Now generally this will be harmless because there would hardly be any file that nobody should have write permissions on but this rouge process will now take your files with it.It greatly increases the vulnerability profile of your website to malicious activity because it's only necessary to break into one account.
Anyone that gains access to your system with any login can do whatever they want to your pages, including changing them to read "This website is really insecure so please give me your credit card info."
EDIT: (To clarify and address comments)
Many servers have more than one purpose in life. They run multiple services. If you carefully isolate those services from each other by assigning each a unique user and managing file permissions accordingly, yes, you are still in hot water if someone compromises the credentials for an account, but the damage they can do is limited to that one service. If you just have one generic account and set the whole file system to 777, one compromised account jeopardizes everything on the machine.
If your server is dedicated to only running Apache/PHP and serves no other purpose in life, and there is only one account under which Apache/PHP is being run, having that one account compromised is as good as having the whole machine compromised from the point of view of your application (although you should still have system files protected and non-writable by the account used to run PHP... that should still only be possible for an admin account/root).
If they can write a file, and it is executable, they can change it to something that executes on your machine (executable or script) and then use PHP's shell_exec to run that executable. If you're configured not to allow shell_exec, they can change your configuration as well
Here's one scenario:
system()
call in it to the shell script.If this directory is 777, that means that anybody (including the user apache, which is what php script will execute as) can execute it! If the execute bit is not set on that directory and presumably the files inside the directory, then step 3 above would do nothing.
edit from the comments: it's not the PHP file's permissions that matter, it's the
system()
call inside the PHP file that will be executed as a linux system call by the linux user apache (or whatever you have apache set to run as), and that is PRECISELY where the execution bit matters.