Pesky Permissions

Triple sevens! Most people visiting Vegas would wish for nothing more than to see this line up before their trip is over. It’s a good omen, a lucky number, and instills an emotional response from gambling addicts. On the other hand with a Linux server, it’s a dreadful thing to have sitting around. I’m talking about file and directory permissions, the venerable “777″ stands for a file or directory that anyone with access to the server gets access to. While it is commonly over-looked, it is important to be reminded about the perils of using this permission setting.

Many web apps’ installation tutorials state that you should never use these permission settings, however a few state that setting permissions to 777 is required to install the software in question. Insecure permissions are a serious threat on shared hosting servers and we have always taken steps to address this; we configure our web servers to run as your individual FTP/CGI user (and not a shared Apache web server user) and we also offer an “Enhanced Security” home directory lock-down which limits file access to only that specific user.

There are many alternatives present to address this as well – jailed environments are all the rage these days for locking down filesystem permissions. We have known and discussed this option for a while, however restricting user access in this way doesn’t fit well with our general preference to allow our customers the freedom to use their website in whatever way they see fit. The “Enhanced Security” option is our best solution for this. Although not a proper “jail” it will lock out all users from accessing your user’s home directory. If you do not share data between your users, this should be enabled for all of your FTP/SSH users.

Over the years this little permission setting has been ignored by many customers who were given the freedom to manage their sites however they pleased. And, coincidentally, not setting permissions to “777″ has been a security best practice ignored by some of the software packages that we’ve featured within our One-Click Installer as well.

We have historically locked down every server’s home directory (different than the “Enhanced Security” home directory lock down) which prevents one user from viewing other users’ home directory contents, and historically this has been good enough. Good enough is never translated as perfect though, we have started identifying a the new trend in attacks that specifically target insecure directory permissions, so now we have been compelled to step in and take action against this.

Automated security scans are going on right now checking for known backdoors and insecure code on every one of our customers’ sites. Keep an eye on your email inbox – we’ll be in touch if we find anything. We will identify insecure software, the bad permissions mentioned above and/or known malicious code on a customer sites, and we’ll then secure the directory permissions and send an email to let you know.

What you can do to help secure your sites’ files is make sure the “Enhanced Security” option for your individual FTP/SSH users is turned on. This will prevent any other FTP/SSH users (including your own account’s other FTP/SSH users) from accessing that user’s files. This is now on by default for all new users, and strongly recommended. Any customer with only one FTP/SSH user should have this option turned on.

If you can not setup the enhanced security option (possibly true if you share data between users) and you want to secure the permissions on your sites’ files yourself. Please feel free to run the following commands via SSH:

Warning: This is recommended for Advanced Users Only.

find $HOME -type d -perm 777 -exec chmod 755 {} \; -print
find $HOME -type f \( -perm 777 -o -perm 666 \) -exec chmod 644 {} \; -print

Thanks!