General Support: Security hole

In my experience it is different for every server. Some servers will let you set the permissions at 755, which is slightly more restrictive, and still work 100%. Most of the servers I have tried won't let Plogger do anything without 777, but the only way to find out is to try.

The only directories that need to be 777 are the ones Plogger will be writing too, the thumbnails directory and the images directory come to mind. The directory with important executable scripts can be permissioned normally.

Here is something I got from the Drupal forum:

As far as i understand it, *everyone* having permission doesn't include the average joe on the internet, but only everyone who has an account or access to that machine.

if the machine is:

* on a shared hosting solution
* has anon ftp access or a number of other entry points the general public can use
* is a workstation that many people log into

then 777 is a bad idea.

but if you've got a reasonably locked down dedicated server with no user accounts other than your own, 777 shouldn't pose any more security risk than anything else. there'd have to be some other vulnerability for a malicious user to take advantage of that, and at that point, the 777 permission is probably moot anyway.

Keep in mind that the Hacker got access through an obscure file inclusion vulnerability that has been since patched in the code. The simple fact of having a directory at 777 does not just give anybody read/write access to that directory, but if they have compromised the system through other means than this makes it easier to manipulate the installation once inside.

Please correct me if I'm wrong, I am definitely no Unix/Linux/BSD guru.