VPS Security

**Evarest** · 03-12-2007, 03:10 PM

Hey All!

I'm wondering... Does it hurt your security if you set permissions to 777 for certain files & folders while being in ROOT?

For example, if i install Wordpress on my VPS, it says that i need to chmod certain files & folders to 777. However, need i be logged in as a limited user to do this properly?

Thanks in advance!

**JPC-Masood** · 03-12-2007, 03:31 PM

Yes, permission 777 is insecure, especially in a shared environment. Your vps is a shared environment if you have other users with hosting accounts.

**Evarest** · 03-12-2007, 03:35 PM

So i understand you correctly that if i only have access to this VPS, and its FTP accounts, it may not be too big a problem?

I have some domains running on it, and i use FTP to upload files to each of them. However, i do not plan to allow other users to access my VPS using FTP or whatever tool...

**Connie** · 03-12-2007, 03:37 PM

I'm not on VPS, but WP works fine at 755 on a shared server. Not sure why it would be any different on a VPS.

**JPC-Masood** · 03-12-2007, 03:56 PM

Originally Posted by Connie

I'm not on VPS, but WP works fine at 755 on a shared server. Not sure why it would be any different on a VPS.

Because shared servers have phpsuexec installed through cpanel, which allows all php scripts to run under your userid. So no world write permissions required.

In a stock php/apache setup (or most other control panels), all php scripts execute with the permission of web server user (typically nobody or apache or www). Hence world write permissions required for web server user to upload files/make changes to files there.

**JPC-Masood** · 03-12-2007, 04:04 PM

Originally Posted by Evarest

So i understand you correctly that if i only have access to this VPS, and its FTP accounts, it may not be too big a problem?

Yes, not a big problem.

The only other problem you could face is if one account has remotely exploitable web application and the hacker uses it for entry to your vps and uploads malicious files in other account under that 777 permission folder, then it is pretty difficult to track down the source of abuse. So if you keep all your accounts secure by following the security guidlelines: Tips on Web Security you should be fine.

**Evarest** · 03-12-2007, 05:40 PM

Originally Posted by JPC-Masood

In a stock php/apache setup (or most other control panels), all php scripts execute with the permission of web server user (typically nobody or apache or www). Hence world write permissions required for web server user to upload files/make changes to files there.

Thanks again for this! This makes it a bit more clear to me why i need to use this - at first sight - unsafe setting to make WP work on my VPS :-)

See you!

LinkBack

Thread Tools

Display

VPS Security

Bookmarks

Bookmarks

Posting Permissions