How to Safely Use Permission Settings

How to Safely Use Permission Settings thumbnail

Triple sevens! Most people visiting Vegas would wish for nothing more than to see this line up before their trip is over. It’s a good omen, a lucky number, and instills an emotional response from gambling addicts.

On the other hand, with a Linux server, it’s a dreadful thing to have sitting around. That’s because “777” stands for a file or directory that anyone on the server can access. Yes, I’m talking about file and directory permissions.

While this permission setting is commonly overlooked, it is important to be reminded about the perils of using it. Let’s dig into the details.

Insecure Permissions and Shared Servers

Many web apps’ installation tutorials state that you should never use these permission settings, however a few state that setting permissions to “777” is required to install the software in question. Insecure permissions are a serious threat on shared hosting servers, and at DreamHost, we’ve always taken steps to address this:

  • We configure our web servers to run as your individual FTP/CGI user and not a shared Apache web server user.
  • We also offer an Enhanced Security home directory lock-down which limits file access to only that specific user.

There are many alternatives present to address this as well — jailed environments are all the rage these days for locking down filesystem permissions. We have known and discussed this option for a while, however, restricting user access in this way doesn’t fit well with our general preference to allow our customers the freedom to use their website in whatever way they see fit.

The Enhanced Security option is our best solution for this. Although not a proper “jail,” it will lock out all users from accessing your home directory. If you do not share data between your users, this should be enabled for all of your FTP/SSH users.

WordPress + DreamHost

Our automatic updates and strong security defenses take server management off your hands so you can focus on creating a great website.

Locking Down Permissions

Over the years this little permission setting has been ignored by many customers who were given the freedom to manage their sites however they pleased. And, coincidentally, not setting permissions to “777” has been a security best practice ignored by some of the software packages that we’ve featured within our One-Click Installer as well.

In the past, we have locked down every server’s home directory (different than the “Enhanced Security” home directory lock down) which prevents one user from viewing other users’ home directory contents, and, historically, this has been good enough.

Good enough isn’t perfect, though. We have started identifying a new trend in attacks that specifically target insecure directory permissions, so now we have been compelled to step in and take action against this.

Automated security scans are going on right now checking for known backdoors and insecure code on every customer sites. Keep an eye on your email inbox; we’ll be in touch if we find anything. We will identify insecure software, the bad permissions mentioned above and/or known malicious code on a customer sites, and we’ll then secure the directory permissions and send an email to let you know.

How You Can Protect Your Site

What you can do to help secure your sites’ files is make sure the “Enhanced Security” option for your individual FTP/SSH users is turned on. This will prevent any other FTP/SSH users (including your own account’s other FTP/SSH users) from accessing that user’s files. This is now on by default for all new users and strongly recommended. Any customer with only one FTP/SSH user should have this option turned on.

If you can not setup the enhanced security option — for example, if you share data between users — and you want to secure the permissions on your sites’ files yourself, feel free to run the commands below via SSH. Warning: This is recommended for advanced users only.

find $HOME -type d -perm 777 -exec chmod 755 {} \; -print

find $HOME -type f \( -perm 777 -o -perm 666 \) -exec chmod 644 {} \; -print

Photo of Robert R.
About the Author: