Ubuntu – Shouldn’t /var/www have chmod 777

Apache2permissionsSecuritywww

When developing a page on a localhost, I sometimes get a "Permission denied" error which I can solve by running chmod -R 777 /var/www. However, people are telling me that this is a bad idea for security reasons.

Why shouldn't /var/www have a chmod of 777?

Best Answer

  • 777 is a bad permission in general and I'll show you why.

    Despite how it may look in a Casino or Las Vegas, 777 doesn't mean jackpot for you. Rather, jackpot for anyone who wishes to modify your files. 777 (and its ugly cousin 666) allow Read and Write permissions (and in the case of 777, Execute) to other. You can learn more about how file permissions work, but in short there are three groups of permissions: owner, group, and other. By setting the permission to 6 or 7 (rw- or rwx) for other you give any user the ability to edit and manipulate those files and folders. Typically, as you can imagine, this is bad for security.

    Here's my example:

    marco@desktop:~/Projects/AskUbuntu/20105$ cd ..
    marco@desktop:~/Projects/AskUbuntu$ chmod 0777 20105
    marco@desktop:~/Projects/AskUbuntu$ cd 20105/
    marco@desktop:~/Projects/AskUbuntu/20105$ ls -lah
    total 8.0K
    drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:32 .
    drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 ..
    marco@desktop:~/Projects/AskUbuntu/20105$ touch test
    marco@desktop:~/Projects/AskUbuntu/20105$ chmod 0666 test 
    

    So far I have created a folder and made a file with "bad" permissions (777 and 666). Now I'll switch into another user and try to manipulate those files.

    marco@desktop:~/Projects/AskUbuntu/20105$ sudo su - malicious
    malicious@desktop:~$ cd /home/marco/Projects/AskUbuntu/20105
    malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ ls
    test
    malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ ls -lah
    total 8.0K
    drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:33 .
    drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 ..
    -rw-rw-rw- 1 marco marco    0 2011-01-04 20:33 test
    malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ touch bad
    malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ echo "OVERWRITE" > test 
    malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ cat test 
    OVERWRITE
    

    As this "malicious" user I was able to place files into the directory and inject text into already existent files. Whereas below, in a directory with 755 and files with 644, I am able to see inside files and directories but I can not edit the files nor create new ones:

    malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ cd /home/marco/Projects
    malicious@desktop:/home/marco/Projects$ touch hey
    touch: cannot touch `hey': Permission denied
    

    For Apache permissions, you're going to want to stick to 0755 and 0644 (AKA umask 022) for folders and files respectively. This allows you, as the owner of the files, to edit and manipulate them while giving Apache the bare minimum levels of access needed to operate.

  • Related Question