If there’s anything you take away from this blog post, it’s that chmod 0777 is EXTREMELY dangerous on web accessible directories and files!
So, what does that mean? Well, in Linux, you have users. Each user has fine grained control over their own stuff, and maybe stuff another user owns. A user may be part of a group. A group can have control over some files and directories.
chmod is a Linux command that specifies how much or how little access to a file or directory should be granted. Let’s start by looking at the ls -l for a directory.
# cd ~ # the tilde represents the home directory for the logged in user.
# ls -l # ls is the list command, use it to see what's in a directory. the -l provides more details.The output would look something like this:
-rwxr-xr-x 1 jimbo sales 2651 Jul 2 2022 09:52 sales_consultants.txt
drwxrwxr-x 2 jimbo sales 160 Jun 9 2022 19:32 marketing_strategyYou maybe asking yourself, “what the heck does this mean?” Well, today is your lucky day, because I’m going to tell you exactly what it means.
Column 1 has a bunch of dashes and letters. This will be covered in more depth later, but to put it simply, the first character is what kind of file it is (d is a directory, - is a file) and then the permissions associated with it.
Column 2 is the number of hard links. No need to worry about this now.
Column 3 is the owner and Column 4 is the group name for jimbo.
Column 4 is the number of bytes in a file
Column 5 is the date and time that it was last modified.
Column 6 is the file or directory name.
Let’s talk about that first column. After the - or d, the first three letters are the permissions for the owner. The first position is read permissions, and is represented by an r. If there’s a -, then you don’t have read permission. Next is w, and that is write/delete permissions. Finally, x means executable on a file or searchable on a directory. The next two sets of three follow the same pattern, r for read, w for write, and x for execute/search for the group and then for others, respectively.
There are a few ways to set the permissions for a file. Let’s say you want to allow executable permissions on a file called calculate_commissions.sh. We’ll say we want the owner’s group to be able to read and execute, but not write. We would use chmod g=rx calculate_commissions.sh. But if we want to open a directory to anyone to read, write, and search the directory, we could use chmod -R 0777 sales. To get a better understanding of the patterns to set file permissions, please look at the Sources below.
There is a temptation to not think about who should access what and just use 0777. This is a bad idea, especially if you’re on a webserver. 777 is not a lucky number, but will allow users that may be malicious to inject code into your server.
There is one more thing I want to say before I leave this topic (for now). It’s the Linux fine grained Access Control Lists. Let’s say you have a user that you want to upload files to a web document root. In Ubuntu 22.04, this is /var/www/html. Let’s also say you don’t want to use the root user (good!) nor another admin to do so. Well, you can try up’ing via a tool like Filezilla, but you will probably get a permissions error. Try Linux Access Control. Use the getfacl and setfacl commands. These might not be installed by default, but apt get acl will do the trick.