[Wylug-discuss] 777 access on an images directory

Mike Goodman mike.goodman at zen.co.uk
Fri Oct 12 17:36:44 BST 2007


Phil Driscoll wrote:
> On Friday 12 Oct 2007, Mike Goodman wrote:
>> Phil Driscoll wrote:
>>> The 777/execution bit was not the issue I was warning you about. The
>>> problem is that the application allows upload of files into a directory
>>> which is served up by the web server.
>> But isn't that then the case for any directory containing files served
>> up by the web server? Sorry to be thick, but isn't it the permissions
>> which control who can upload files?
> 
> Yes the permissions control which users can write files to a directory, but 
> under normal circumstances, there would be no mechanism in place for external 
> users to upload files to a web directory. However in this instance, the php 
> script provides an upload form to allow files to be uploaded and written to a 
> directory which is then served up by the web server. In a securely designed 
> application, the web server would never have permission to write files into a 
> directory that it made directly available by http.
> 
> Cheers

The Bytemark forum contributor, final paragraph, wrote:
> the programs would still have to have the execute bit set for them individually, and you'd have to be in an environment that allow command execution (ie some kind of shell) for that to happen

Is that piffle? This is what I am failing to understand. Is it possible 
to make a file within the 777 directory execute, as Phil is saying, or 
not, as Will Parks avers? Indeed he explicitly states:
> You are thinking perhaps that setting the execute bit on directories means allowing users to run programs within that directory.  This is not the case

M



More information about the Wylug-discuss mailing list